├── LICENSE
├── README.md
├── ossec-rules
├── local_rules.xml
└── windows
│ ├── builtin
│ ├── win_GPO_scheduledtasks.xml
│ ├── win_account_backdoor_dcsync_rights.xml
│ ├── win_account_discovery.xml
│ ├── win_ad_object_writedac_access.xml
│ ├── win_ad_replication_non_machine_account.xml
│ ├── win_ad_user_enumeration.xml
│ ├── win_admin_rdp_login.xml
│ ├── win_admin_share_access.xml
│ ├── win_alert_active_directory_user_control.xml
│ ├── win_alert_ad_user_backdoors.xml
│ ├── win_alert_enable_weak_encryption.xml
│ ├── win_alert_lsass_access.xml
│ ├── win_alert_mimikatz_keywords.xml
│ ├── win_alert_ruler.xml
│ ├── win_apt_apt29_tor.xml
│ ├── win_apt_carbonpaper_turla.xml
│ ├── win_apt_stonedrill.xml
│ ├── win_apt_turla_service_png.xml
│ ├── win_atsvc_task.xml
│ ├── win_audit_cve.xml
│ ├── win_av_relevant_match.xml
│ ├── win_dcsync.xml
│ ├── win_disable_event_logging.xml
│ ├── win_dpapi_domain_backupkey_extraction.xml
│ ├── win_dpapi_domain_masterkey_backup_attempt.xml
│ ├── win_external_device.xml
│ ├── win_hack_smbexec.xml
│ ├── win_impacket_secretdump.xml
│ ├── win_invoke_obfuscation_obfuscated_iex_services.xml
│ ├── win_lm_namedpipe.xml
│ ├── win_lsass_access_non_system_account.xml
│ ├── win_mal_creddumper.xml
│ ├── win_mal_service_installs.xml
│ ├── win_mal_wceaux_dll.xml
│ ├── win_meterpreter_or_cobaltstrike_getsystem_service_installation.xml
│ ├── win_mmc20_lateral_movement.xml
│ ├── win_net_ntlm_downgrade.xml
│ ├── win_new_or_renamed_user_account_with_dollar_sign.xml
│ ├── win_overpass_the_hash.xml
│ ├── win_pass_the_hash.xml
│ ├── win_pass_the_hash_2.xml
│ ├── win_possible_dc_shadow.xml
│ ├── win_protected_storage_service_access.xml
│ ├── win_quarkspwdump_clearing_hive_access_history.xml
│ ├── win_rare_schtasks_creations.xml
│ ├── win_rare_service_installs.xml
│ ├── win_rdp_bluekeep_poc_scanner.xml
│ ├── win_rdp_localhost_login.xml
│ ├── win_rdp_potential_cve-2019-0708.xml
│ ├── win_rdp_reverse_tunnel.xml
│ ├── win_register_new_logon_process_by_rubeus.xml
│ ├── win_remote_powershell_session.xml
│ ├── win_remote_registry_management_using_reg_utility.xml
│ ├── win_sam_registry_hive_handle_request.xml
│ ├── win_scm_database_handle_failure.xml
│ ├── win_scm_database_privileged_operation.xml
│ ├── win_susp_add_domain_trust.xml
│ ├── win_susp_add_sid_history.xml
│ ├── win_susp_backup_delete.xml
│ ├── win_susp_codeintegrity_check_failure.xml
│ ├── win_susp_dhcp_config.xml
│ ├── win_susp_dhcp_config_failed.xml
│ ├── win_susp_dns_config.xml
│ ├── win_susp_dsrm_password_change.xml
│ ├── win_susp_eventlog_cleared.xml
│ ├── win_susp_failed_logon_reasons.xml
│ ├── win_susp_failed_logon_source.xml
│ ├── win_susp_interactive_logons.xml
│ ├── win_susp_kerberos_manipulation.xml
│ ├── win_susp_ldap_dataexchange.xml
│ ├── win_susp_local_anon_logon_created.xml
│ ├── win_susp_lsass_dump.xml
│ ├── win_susp_lsass_dump_generic.xml
│ ├── win_susp_mshta_execution.xml
│ ├── win_susp_msmpeng_crash.xml
│ ├── win_susp_net_recon_activity.xml
│ ├── win_susp_ntlm_auth.xml
│ ├── win_susp_psexec.xml
│ ├── win_susp_raccess_sensitive_fext.xml
│ ├── win_susp_rc4_kerberos.xml
│ ├── win_susp_rottenpotato.xml
│ ├── win_susp_sam_dump.xml
│ ├── win_susp_samr_pwset.xml
│ ├── win_susp_sdelete.xml
│ ├── win_susp_security_eventlog_cleared.xml
│ ├── win_susp_time_modification.xml
│ ├── win_susp_wmi_login.xml
│ ├── win_suspicious_outbound_kerberos_connection.xml
│ ├── win_svcctl_remote_service.xml
│ ├── win_syskey_registry_access.xml
│ ├── win_tap_driver_installation.xml
│ ├── win_transferring_files_with_credential_data_via_network_shares.xml
│ ├── win_usb_device_plugged.xml
│ ├── win_user_added_to_local_administrators.xml
│ ├── win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.xml
│ ├── win_user_creation.xml
│ ├── win_user_driver_loaded.xml
│ └── win_vul_cve_2020_0688.xml
│ ├── malware
│ ├── mal_azorult_reg.xml
│ ├── win_mal_blue_mockingbird.xml
│ ├── win_mal_ryuk.xml
│ └── win_mal_ursnif.xml
│ ├── other
│ ├── win_defender_bypass.xml
│ ├── win_tool_psexec.xml
│ └── win_wmi_persistence.xml
│ ├── powershell
│ ├── powershell_alternate_powershell_hosts.xml
│ ├── powershell_clear_powershell_history.xml
│ ├── powershell_create_local_user.xml
│ ├── powershell_data_compressed.xml
│ ├── powershell_dnscat_execution.xml
│ ├── powershell_downgrade_attack.xml
│ ├── powershell_exe_calling_ps.xml
│ ├── powershell_invoke_obfuscation_obfuscated_iex.xml
│ ├── powershell_malicious_commandlets.xml
│ ├── powershell_malicious_keywords.xml
│ ├── powershell_nishang_malicious_commandlets.xml
│ ├── powershell_ntfs_ads_access.xml
│ ├── powershell_prompt_credentials.xml
│ ├── powershell_psattack.xml
│ ├── powershell_remote_powershell_session.xml
│ ├── powershell_shellcode_b64.xml
│ ├── powershell_suspicious_download.xml
│ ├── powershell_suspicious_invocation_generic.xml
│ ├── powershell_suspicious_invocation_specific.xml
│ ├── powershell_suspicious_keywords.xml
│ ├── powershell_suspicious_profile_create.xml
│ ├── powershell_winlogon_helper_dll.xml
│ └── powershell_wmimplant.xml
│ ├── process_creation
│ ├── win_advanced_ip_scanner.xml
│ ├── win_apt_apt29_thinktanks.xml
│ ├── win_apt_babyshark.xml
│ ├── win_apt_bear_activity_gtr19.xml
│ ├── win_apt_bluemashroom.xml
│ ├── win_apt_chafer_mar18.xml
│ ├── win_apt_cloudhopper.xml
│ ├── win_apt_dragonfly.xml
│ ├── win_apt_elise.xml
│ ├── win_apt_emissarypanda_sep19.xml
│ ├── win_apt_empiremonkey.xml
│ ├── win_apt_equationgroup_dll_u_load.xml
│ ├── win_apt_gallium.xml
│ ├── win_apt_greenbug_may20.xml
│ ├── win_apt_hurricane_panda.xml
│ ├── win_apt_judgement_panda_gtr19.xml
│ ├── win_apt_mustangpanda.xml
│ ├── win_apt_slingshot.xml
│ ├── win_apt_sofacy.xml
│ ├── win_apt_ta17_293a_ps.xml
│ ├── win_apt_tropictrooper.xml
│ ├── win_apt_turla_commands.xml
│ ├── win_apt_unidentified_nov_18.xml
│ ├── win_apt_winnti_mal_hk_jan20.xml
│ ├── win_apt_wocao.xml
│ ├── win_apt_zxshell.xml
│ ├── win_attrib_hiding_files.xml
│ ├── win_bootconf_mod.xml
│ ├── win_bypass_squiblytwo.xml
│ ├── win_change_default_file_association.xml
│ ├── win_cmdkey_recon.xml
│ ├── win_cmstp_com_object_access.xml
│ ├── win_control_panel_item.xml
│ ├── win_copying_sensitive_files_with_credential_data.xml
│ ├── win_crime_fireball.xml
│ ├── win_crime_maze_ransomware.xml
│ ├── win_data_compressed_with_rar.xml
│ ├── win_dns_exfiltration_tools_execution.xml
│ ├── win_dsquery_domain_trust_discovery.xml
│ ├── win_encoded_frombase64string.xml
│ ├── win_encoded_iex.xml
│ ├── win_etw_trace_evasion.xml
│ ├── win_exfiltration_and_tunneling_tools_execution.xml
│ ├── win_exploit_cve_2015_1641.xml
│ ├── win_exploit_cve_2017_0261.xml
│ ├── win_exploit_cve_2017_11882.xml
│ ├── win_exploit_cve_2017_8759.xml
│ ├── win_exploit_cve_2019_1378.xml
│ ├── win_exploit_cve_2019_1388.xml
│ ├── win_exploit_cve_2020_10189.xml
│ ├── win_exploit_cve_2020_1048.xml
│ ├── win_file_permission_modifications.xml
│ ├── win_grabbing_sensitive_hives_via_reg.xml
│ ├── win_hack_bloodhound.xml
│ ├── win_hack_koadic.xml
│ ├── win_hack_rubeus.xml
│ ├── win_hack_secutyxploded.xml
│ ├── win_hh_chm.xml
│ ├── win_hktl_createminidump.xml
│ ├── win_html_help_spawn.xml
│ ├── win_hwp_exploits.xml
│ ├── win_impacket_lateralization.xml
│ ├── win_indirect_cmd.xml
│ ├── win_install_reg_debugger_backdoor.xml
│ ├── win_interactive_at.xml
│ ├── win_invoke_obfuscation_obfuscated_iex_commandline.xml
│ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.xml
│ ├── win_lethalhta.xml
│ ├── win_local_system_owner_account_discovery.xml
│ ├── win_lsass_dump.xml
│ ├── win_mal_adwind.xml
│ ├── win_malware_dridex.xml
│ ├── win_malware_dtrack.xml
│ ├── win_malware_emotet.xml
│ ├── win_malware_formbook.xml
│ ├── win_malware_notpetya.xml
│ ├── win_malware_qbot.xml
│ ├── win_malware_ryuk.xml
│ ├── win_malware_script_dropper.xml
│ ├── win_malware_trickbot_recon_activity.xml
│ ├── win_malware_wannacry.xml
│ ├── win_mavinject_proc_inj.xml
│ ├── win_meterpreter_or_cobaltstrike_getsystem_service_start.xml
│ ├── win_mimikatz_command_line.xml
│ ├── win_mmc_spawn_shell.xml
│ ├── win_mshta_javascript.xml
│ ├── win_mshta_spawn_shell.xml
│ ├── win_multiple_suspicious_cli.xml
│ ├── win_net_enum.xml
│ ├── win_net_user_add.xml
│ ├── win_netsh_allow_port_rdp.xml
│ ├── win_netsh_fw_add.xml
│ ├── win_netsh_fw_add_susp_image.xml
│ ├── win_netsh_packet_capture.xml
│ ├── win_netsh_port_fwd.xml
│ ├── win_netsh_port_fwd_3389.xml
│ ├── win_netsh_wifi_credential_harvesting.xml
│ ├── win_network_sniffing.xml
│ ├── win_new_service_creation.xml
│ ├── win_non_interactive_powershell.xml
│ ├── win_office_shell.xml
│ ├── win_office_spawn_exe_from_users_directory.xml
│ ├── win_plugx_susp_exe_locations.xml
│ ├── win_possible_applocker_bypass.xml
│ ├── win_possible_privilege_escalation_using_rotten_potato.xml
│ ├── win_powershell_amsi_bypass.xml
│ ├── win_powershell_audio_capture.xml
│ ├── win_powershell_b64_shellcode.xml
│ ├── win_powershell_bitsjob.xml
│ ├── win_powershell_dll_execution.xml
│ ├── win_powershell_downgrade_attack.xml
│ ├── win_powershell_download.xml
│ ├── win_powershell_frombase64string.xml
│ ├── win_powershell_suspicious_parameter_variation.xml
│ ├── win_powershell_xor_commandline.xml
│ ├── win_powersploit_empire_schtasks.xml
│ ├── win_proc_wrong_parent.xml
│ ├── win_process_creation_bitsadmin_download.xml
│ ├── win_process_dump_rundll32_comsvcs.xml
│ ├── win_psexesvc_start.xml
│ ├── win_query_registry.xml
│ ├── win_rdp_hijack_shadowing.xml
│ ├── win_remote_powershell_session_process.xml
│ ├── win_remote_time_discovery.xml
│ ├── win_renamed_binary.xml
│ ├── win_renamed_binary_highly_relevant.xml
│ ├── win_renamed_jusched.xml
│ ├── win_renamed_paexec.xml
│ ├── win_renamed_powershell.xml
│ ├── win_renamed_procdump.xml
│ ├── win_renamed_psexec.xml
│ ├── win_run_powershell_script_from_ads.xml
│ ├── win_sdbinst_shim_persistence.xml
│ ├── win_service_execution.xml
│ ├── win_service_stop.xml
│ ├── win_shadow_copies_access_symlink.xml
│ ├── win_shadow_copies_creation.xml
│ ├── win_shadow_copies_deletion.xml
│ ├── win_shell_spawn_susp_program.xml
│ ├── win_silenttrinity_stage_use.xml
│ ├── win_soundrec_audio_capture.xml
│ ├── win_spn_enum.xml
│ ├── win_susp_bcdedit.xml
│ ├── win_susp_bginfo.xml
│ ├── win_susp_calc.xml
│ ├── win_susp_cdb.xml
│ ├── win_susp_certutil_command.xml
│ ├── win_susp_certutil_encode.xml
│ ├── win_susp_cli_escape.xml
│ ├── win_susp_cmd_http_appdata.xml
│ ├── win_susp_codepage_switch.xml
│ ├── win_susp_commands_recon_activity.xml
│ ├── win_susp_compression_params.xml
│ ├── win_susp_comsvcs_procdump.xml
│ ├── win_susp_control_dll_load.xml
│ ├── win_susp_copy_lateral_movement.xml
│ ├── win_susp_crackmapexec_execution.xml
│ ├── win_susp_crackmapexec_powershell_obfuscation.xml
│ ├── win_susp_csc.xml
│ ├── win_susp_csc_folder.xml
│ ├── win_susp_curl_start_combo.xml
│ ├── win_susp_dctask64_proc_inject.xml
│ ├── win_susp_devtoolslauncher.xml
│ ├── win_susp_direct_asep_reg_keys_modification.xml
│ ├── win_susp_dnx.xml
│ ├── win_susp_double_extension.xml
│ ├── win_susp_dxcap.xml
│ ├── win_susp_eventlog_clear.xml
│ ├── win_susp_exec_folder.xml
│ ├── win_susp_execution_path.xml
│ ├── win_susp_execution_path_webserver.xml
│ ├── win_susp_file_characteristics.xml
│ ├── win_susp_firewall_disable.xml
│ ├── win_susp_fsutil_usage.xml
│ ├── win_susp_gup.xml
│ ├── win_susp_iss_module_install.xml
│ ├── win_susp_msiexec_cwd.xml
│ ├── win_susp_msiexec_web_install.xml
│ ├── win_susp_msoffice.xml
│ ├── win_susp_net_execution.xml
│ ├── win_susp_netsh_dll_persistence.xml
│ ├── win_susp_ntdsutil.xml
│ ├── win_susp_odbcconf.xml
│ ├── win_susp_openwith.xml
│ ├── win_susp_outlook.xml
│ ├── win_susp_outlook_temp.xml
│ ├── win_susp_ping_hex_ip.xml
│ ├── win_susp_powershell_empire_launch.xml
│ ├── win_susp_powershell_empire_uac_bypass.xml
│ ├── win_susp_powershell_enc_cmd.xml
│ ├── win_susp_powershell_hidden_b64_cmd.xml
│ ├── win_susp_powershell_parent_combo.xml
│ ├── win_susp_procdump.xml
│ ├── win_susp_process_creations.xml
│ ├── win_susp_prog_location_process_starts.xml
│ ├── win_susp_ps_appdata.xml
│ ├── win_susp_ps_downloadfile.xml
│ ├── win_susp_psr_capture_screenshots.xml
│ ├── win_susp_rasdial_activity.xml
│ ├── win_susp_recon_activity.xml
│ ├── win_susp_regsvr32_anomalies.xml
│ ├── win_susp_renamed_dctask64.xml
│ ├── win_susp_run_locations.xml
│ ├── win_susp_rundll32_activity.xml
│ ├── win_susp_rundll32_by_ordinal.xml
│ ├── win_susp_schtask_creation.xml
│ ├── win_susp_script_execution.xml
│ ├── win_susp_service_path_modification.xml
│ ├── win_susp_squirrel_lolbin.xml
│ ├── win_susp_svchost.xml
│ ├── win_susp_svchost_no_cli.xml
│ ├── win_susp_sysprep_appdata.xml
│ ├── win_susp_sysvol_access.xml
│ ├── win_susp_taskmgr_localsystem.xml
│ ├── win_susp_taskmgr_parent.xml
│ ├── win_susp_tscon_localsystem.xml
│ ├── win_susp_tscon_rdp_redirect.xml
│ ├── win_susp_use_of_csharp_console.xml
│ ├── win_susp_userinit_child.xml
│ ├── win_susp_whoami.xml
│ ├── win_susp_wmi_execution.xml
│ ├── win_sysmon_driver_unload.xml
│ ├── win_system_exe_anomaly.xml
│ ├── win_tap_installer_execution.xml
│ ├── win_task_folder_evasion.xml
│ ├── win_termserv_proc_spawn.xml
│ ├── win_trust_discovery.xml
│ ├── win_uac_cmstp.xml
│ ├── win_uac_fodhelper.xml
│ ├── win_uac_wsreset.xml
│ ├── win_using_sc_to_change_sevice_image_path_by_non_admin.xml
│ ├── win_vul_java_remote_debugging.xml
│ ├── win_webshell_detection.xml
│ ├── win_webshell_spawn.xml
│ ├── win_whoami_as_system.xml
│ ├── win_win10_sched_task_0day.xml
│ ├── win_wmi_backdoor_exchange_transport_agent.xml
│ ├── win_wmi_persistence_script_event_consumer.xml
│ ├── win_wmi_spwns_powershell.xml
│ ├── win_wmiprvse_spawning_process.xml
│ ├── win_workflow_compiler.xml
│ ├── win_wsreset_uac_bypass.xml
│ └── win_xsl_script_processing.xml
│ └── sysmon
│ ├── sysmon_ads_executable.xml
│ ├── sysmon_alternate_powershell_hosts_pipe.xml
│ ├── sysmon_apt_oceanlotus_registry.xml
│ ├── sysmon_apt_pandemic.xml
│ ├── sysmon_apt_turla_namedpipes.xml
│ ├── sysmon_asep_reg_keys_modification.xml
│ ├── sysmon_cactustorch.xml
│ ├── sysmon_cmstp_execution.xml
│ ├── sysmon_cobaltstrike_process_injection.xml
│ ├── sysmon_createremotethread_loadlibrary.xml
│ ├── sysmon_creation_system_file.xml
│ ├── sysmon_cred_dump_lsass_access.xml
│ ├── sysmon_cred_dump_tools_dropped_files.xml
│ ├── sysmon_cred_dump_tools_named_pipes.xml
│ ├── sysmon_cve-2020-1048.xml
│ ├── sysmon_dhcp_calloutdll.xml
│ ├── sysmon_disable_security_events_logging_adding_reg_key_minint.xml
│ ├── sysmon_dns_serverlevelplugindll.xml
│ ├── sysmon_ghostpack_safetykatz.xml
│ ├── sysmon_hack_dumpert.xml
│ ├── sysmon_hack_wce.xml
│ ├── sysmon_in_memory_assembly_execution.xml
│ ├── sysmon_in_memory_powershell.xml
│ ├── sysmon_invoke_phantom.xml
│ ├── sysmon_logon_scripts_userinitmprlogonscript.xml
│ ├── sysmon_lsass_memdump.xml
│ ├── sysmon_lsass_memory_dump_file_creation.xml
│ ├── sysmon_mal_namedpipes.xml
│ ├── sysmon_malware_backconnect_ports.xml
│ ├── sysmon_malware_verclsid_shellcode.xml
│ ├── sysmon_mimikatz_inmemory_detection.xml
│ ├── sysmon_mimikatz_trough_winrm.xml
│ ├── sysmon_minidumwritedump_lsass.xml
│ ├── sysmon_narrator_feedback_persistance.xml
│ ├── sysmon_new_dll_added_to_appcertdlls_registry_key.xml
│ ├── sysmon_new_dll_added_to_appinit_dlls_registry_key.xml
│ ├── sysmon_notepad_network_connection.xml
│ ├── sysmon_password_dumper_lsass.xml
│ ├── sysmon_possible_dns_rebinding.xml
│ ├── sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.xml
│ ├── sysmon_powershell_execution_moduleload.xml
│ ├── sysmon_powershell_exploit_scripts.xml
│ ├── sysmon_powershell_network_connection.xml
│ ├── sysmon_quarkspw_filedump.xml
│ ├── sysmon_raw_disk_access_using_illegitimate_tools.xml
│ ├── sysmon_rdp_registry_modification.xml
│ ├── sysmon_rdp_reverse_tunnel.xml
│ ├── sysmon_rdp_settings_hijack.xml
│ ├── sysmon_registry_persistence_key_linking.xml
│ ├── sysmon_registry_persistence_search_order.xml
│ ├── sysmon_registry_trust_record_modification.xml
│ ├── sysmon_regsvr32_network_activity.xml
│ ├── sysmon_remote_powershell_session_network.xml
│ ├── sysmon_renamed_jusched.xml
│ ├── sysmon_renamed_powershell.xml
│ ├── sysmon_renamed_procdump.xml
│ ├── sysmon_renamed_psexec.xml
│ ├── sysmon_rundll32_net_connections.xml
│ ├── sysmon_ssp_added_lsa_config.xml
│ ├── sysmon_stickykey_like_backdoor.xml
│ ├── sysmon_susp_adsi_cache_usage.xml
│ ├── sysmon_susp_desktop_ini.xml
│ ├── sysmon_susp_download_run_key.xml
│ ├── sysmon_susp_driver_load.xml
│ ├── sysmon_susp_image_load.xml
│ ├── sysmon_susp_lsass_dll_load.xml
│ ├── sysmon_susp_office_dotnet_assembly_dll_load.xml
│ ├── sysmon_susp_office_dotnet_clr_dll_load.xml
│ ├── sysmon_susp_office_dotnet_gac_dll_load.xml
│ ├── sysmon_susp_office_dsparse_dll_load.xml
│ ├── sysmon_susp_office_kerberos_dll_load.xml
│ ├── sysmon_susp_powershell_rundll32.xml
│ ├── sysmon_susp_procexplorer_driver_created_in_tmp_folder.xml
│ ├── sysmon_susp_prog_location_network_connection.xml
│ ├── sysmon_susp_rdp.xml
│ ├── sysmon_susp_reg_persist_explorer_run.xml
│ ├── sysmon_susp_run_key_img_folder.xml
│ ├── sysmon_susp_service_installed.xml
│ ├── sysmon_susp_winword_vbadll_load.xml
│ ├── sysmon_susp_winword_wmidll_load.xml
│ ├── sysmon_suspicious_dbghelp_dbgcore_load.xml
│ ├── sysmon_suspicious_keyboard_layout_load.xml
│ ├── sysmon_suspicious_outbound_kerberos_connection.xml
│ ├── sysmon_suspicious_remote_thread.xml
│ ├── sysmon_svchost_dll_search_order_hijack.xml
│ ├── sysmon_sysinternals_eula_accepted.xml
│ ├── sysmon_tsclient_filewrite_startup.xml
│ ├── sysmon_uac_bypass_eventvwr.xml
│ ├── sysmon_uac_bypass_sdclt.xml
│ ├── sysmon_unsigned_image_loaded_into_lsass.xml
│ ├── sysmon_webshell_creation_detect.xml
│ ├── sysmon_win_binary_github_com.xml
│ ├── sysmon_win_binary_susp_com.xml
│ ├── sysmon_win_reg_persistence.xml
│ ├── sysmon_wmi_event_subscription.xml
│ ├── sysmon_wmi_module_load.xml
│ ├── sysmon_wmi_persistence_commandline_event_consumer.xml
│ ├── sysmon_wmi_persistence_script_event_consumer_write.xml
│ └── sysmon_wmi_susp_scripting.xml
├── sigWah.py
└── sysmonconfig.xml
/ossec-rules/windows/builtin/win_account_discovery.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4661$
4 | SAM_USER|SAM_GROUP
5 | -512|-502|-500|-505|-519|-520|-544|-551|-555|admin
6 | ATT&CK T1087: AD Privileged Users or Groups Reconnaissance
7 | Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
8 | Falsepositives: if source account name is not an admin then its super suspicious.
9 | Sigma UUID: 35ba1d85-724d-42a3-889f-2e2362bcaf23
10 | https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
11 | attack.discovery,attack.t1087,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_ad_object_writedac_access.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4662$
4 | DS
5 | 262144
6 | 19195a5b-6da0-11d0-afd3-00c04fd930c9|domainDNS
7 | ATT&CK T1222: AD Object WriteDAC Access
8 | Detects WRITE_DAC access to a domain object
9 | Falsepositives: Unknown.
10 | Sigma UUID: 028c7842-4243-41cd-be6f-12f3cf1a26c7
11 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
12 | attack.defense_evasion,attack.t1222,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_admin_rdp_login.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4624$
4 | 10
5 | Negotiate
6 | Admin-
7 | ATT&CK T1078: Admin User Remote Logon
8 | Detect remote login by Administrator user depending on internal pattern
9 | Falsepositives: Legitimate administrative activity.
10 | Sigma UUID: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
11 | https://car.mitre.org/wiki/CAR-2016-04-005
12 | attack.lateral_movement,attack.t1078,car.2016-04-005,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_admin_share_access.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5140$
4 | Admin\$
5 | ATT&CK T1077: Access to ADMIN$ Share
6 | Detects access to $ADMIN share
7 | Falsepositives: Legitimate administrative activity.
8 | Sigma UUID: 098d7118-55bc-4912-a836-dc6483a8d150
9 | attack.lateral_movement,attack.t1077,MITRE
10 |
11 |
12 |
13 | 300030
14 | \$
15 | Whitelist Interaction: Access to ADMIN$ Share
16 | attack.lateral_movement,attack.t1077,MITRE
17 |
18 |
19 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_alert_active_directory_user_control.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4704$
4 | SeEnableDelegationPrivilege
5 | ATT&CK T1078: Enabled User Right in AD to Control User Objects
6 | Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
7 | Falsepositives: Unknown.
8 | Sigma UUID: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
9 | https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
10 | attack.privilege_escalation,attack.t1078,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_alert_enable_weak_encryption.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4738$
4 | DES|Preauth|Encrypted
5 | !Enabled
6 | ATT&CK T1089: Weak Encryption Enabled and Kerberoast
7 | Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
8 | Falsepositives: Unknown.
9 | Sigma UUID: f6de9536-0441-4b3f-a646-f4e00f300ffd
10 | https://adsecurity.org/?p=2053
11 | https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
12 | attack.defense_evasion,attack.t1089,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_alert_lsass_access.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^1121$
4 | \\\\lsass.exe
5 | ATT&CK T1003: LSASS Access Detected via Attack Surface Reduction
6 | Detects Access to LSASS Process
7 | Falsepositives: Google Chrome GoogleUpdate.exe. Some Taskmgr.exe related activity.
8 | Sigma UUID: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
9 | https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
10 | attack.credential_access,attack.t1003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_alert_mimikatz_keywords.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | mimikatz | mimilib | \<3 eo.oe | eo.oe.kiwi | privilege::debug | sekurlsa::logonpasswords | lsadump::sam | mimidrv.sys | p::d | s::l
4 | ATT&CK S0002 T1003: Mimikatz Use
5 | This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
6 | Falsepositives: Naughty administrators. Penetration test.
7 | Sigma UUID: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
8 | attack.s0002,attack.t1003,attack.lateral_movement,attack.credential_access,car.2013-07-001,car.2019-04-004,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_apt_carbonpaper_turla.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^7045$
4 | srservice|ipvpn|hkmsvc
5 | ATT&CK T1050: Turla Service Install
6 | This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
7 | Falsepositives: Unknown.
8 | Sigma UUID: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
9 | https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
10 | attack.persistence,attack.g0010,attack.t1050,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_apt_stonedrill.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^7045$
4 | NtsSrv
5 | LocalService
6 | ATT&CK T1050: StoneDrill Service Install
7 | This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
8 | Falsepositives: Unlikely.
9 | Sigma UUID: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
10 | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
11 | attack.persistence,attack.g0064,attack.t1050,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_apt_turla_service_png.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^7045$
4 | WerFaultSvc
5 | ATT&CK T1050: Turla PNG Dropper Service
6 | This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
7 | Falsepositives: unlikely.
8 | Sigma UUID: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
9 | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
10 | attack.persistence,attack.g0010,attack.t1050,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_atsvc_task.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5145$
4 | \\\\\.*\\\\IPC\$
5 | atsvc
6 | WriteData
7 | ATT&CK T1053: Remote Task Creation via ATSVC Named Pipe
8 | Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
9 | Falsepositives: pentesting.
10 | Sigma UUID: f6de6525-4509-495a-8a82-1f8b0ed73a00
11 | https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
12 | attack.lateral_movement,attack.persistence,attack.t1053,car.2013-05-004,car.2015-04-001,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_av_relevant_match.xml:
--------------------------------------------------------------------------------
1 |
2 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_dpapi_domain_backupkey_extraction.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4662$
4 | SecretObject
5 | 0x2
6 | BCKUPKEY
7 | ATT&CK T1003: DPAPI Domain Backup Key Extraction
8 | Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
9 | Falsepositives: Unknown.
10 | Sigma UUID: 4ac1f50b-3bd0-4968-902d-868b4647937e
11 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
12 | attack.credential_access,attack.t1003,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4692$
4 | ATT&CK T1003: DPAPI Domain Master Key Backup Attempt
5 | Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
6 | Falsepositives: Unknown.
7 | Sigma UUID: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
8 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
9 | attack.credential_access,attack.t1003,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_hack_smbexec.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^7045$
4 | BTOBTO
5 | \\\\execute.bat
6 | ATT&CK T1077 T1035: smbexec.py Service Installation
7 | Detects the use of smbexec.py tool by detecting a specific service installation
8 | Falsepositives: Penetration Test. Unknown.
9 | Sigma UUID: 52a85084-6989-40c3-8f32-091e12e13f09
10 | https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
11 | attack.lateral_movement,attack.execution,attack.t1077,attack.t1035,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_impacket_secretdump.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5145$
4 | \\\\\.*\\\\ADMIN\$
5 | SYSTEM32\\\\\.*.tmp
6 | ATT&CK T1003: Possible Impacket SecretDump Remote Activity
7 | Detect AD credential dumping using impacket secretdump HKTL
8 | Falsepositives: pentesting.
9 | Sigma UUID: 252902e3-5830-4cf6-bf21-c22083dfd5cf
10 | https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
11 | attack.credential_access,attack.t1003,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_mal_wceaux_dll.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4656$|^4658$|^4660$|^4663$
4 | \\\\wceaux.dll
5 | ATT&CK T1003 S0005: WCE wceaux.dll Access
6 | Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
7 | Falsepositives: Penetration testing.
8 | Sigma UUID: 1de68c67-af5c-4097-9c85-fe5578e09e67
9 | https://www.jpcert.or.jp/english/pub/sr/ir_research.html
10 | https://jpcertcc.github.io/ToolAnalysisResultSheet
11 | attack.credential_access,attack.t1003,attack.s0005,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4720$|^4781$
4 | \$
5 | ATT&CK T1036: New or Renamed User Account with '$' in Attribute 'SamAccountName'.
6 | Detects possible bypass EDR and SIEM via abnormal user account name.
7 | Falsepositives: Unkown.
8 | Sigma UUID: cfeed607-6aa4-4bbd-9627-b637deb723c8
9 | attack.defense_evasion,attack.t1036,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_protected_storage_service_access.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5145$
4 | IPC
5 | protected_storage
6 | ATT&CK T1021: Protected Storage Service Access
7 | Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
8 | Falsepositives: Unknown.
9 | Sigma UUID: 45545954-4016-43c6-855e-eae8f1c369dc
10 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
11 | attack.lateral_movement,attack.t1021,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^16$
4 | \\\\AppData\\\\Local\\\\Temp\\\\SAM
5 | .dmp$
6 | ATT&CK T1003: QuarksPwDump Clearing Access History
7 | Detects QuarksPwDump clearing access history in hive
8 | Falsepositives: Unknown.
9 | Sigma UUID: 39f919f3-980b-4e6f-a975-8af7e507ef2b
10 | attack.credential_access,attack.t1003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_rare_schtasks_creations.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_rare_service_installs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_rdp_bluekeep_poc_scanner.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4625$
4 | AAAAAAA
5 | ATT&CK T1210: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
6 | Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
7 | Falsepositives: Unlikely.
8 | Sigma UUID: 8400629e-79a9-4737-b387-5db940ab2367
9 | https://twitter.com/AdamTheAnalyst/status/1134394070045003776
10 | https://github.com/zerosum0x0/CVE-2019-0708
11 | attack.lateral_movement,attack.t1210,car.2013-07-002,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_rdp_localhost_login.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4624$
4 | 10
5 | ::1|127.0.0.1
6 | ATT&CK T1076: RDP Login from Localhost
7 | RDP login with localhost source address may be a tunnelled login
8 | Falsepositives: Unknown.
9 | Sigma UUID: 51e33403-2a37-4d66-a574-1fda1782cc31
10 | https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
11 | attack.lateral_movement,attack.t1076,car.2013-07-002,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_rdp_potential_cve-2019-0708.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^56$|^50$
4 | TermDD
5 | ATT&CK T1210 T1190: Potential RDP Exploit CVE-2019-0708
6 | Detect suspicious error on protocol RDP, potential CVE-2019-0708
7 | Falsepositives: Bad connections or network interruptions.
8 | Sigma UUID: aaa5b30d-f418-420b-83a0-299cb6024885
9 | https://github.com/zerosum0x0/CVE-2019-0708
10 | https://github.com/Ekultek/BlueKeep
11 | attack.initial_access,attack.lateral_movement,attack.t1210,attack.t1190,car.2013-07-002,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_register_new_logon_process_by_rubeus.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4611$
4 | User32LogonProcesss
5 | ATT&CK T1208: Register new Logon Process by Rubeus
6 | Detects potential use of Rubeus via registered new trusted logon process
7 | Falsepositives: Unkown.
8 | Sigma UUID: 12e6d621-194f-4f59-90cc-1959e21e69f7
9 | https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
10 | attack.lateral_movement,attack.privilege_escalation,attack.t1208,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_remote_powershell_session.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5156$
4 | 5985|5986
5 | 44
6 | ATT&CK T1086: Remote PowerShell Sessions
7 | Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
8 | Falsepositives: Legitimate use of remote PowerShell execution.
9 | Sigma UUID: 13acf386-b8c6-4fe0-9a6e-c4756b974698
10 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
11 | attack.execution,attack.t1086,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_sam_registry_hive_handle_request.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4656$
4 | Key
5 | \\\\SAM$
6 | ATT&CK T1012: SAM Registry Hive Handle Request
7 | Detects handles requested to SAM registry hive
8 | Falsepositives: Unknown.
9 | Sigma UUID: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
10 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md
11 | attack.discovery,attack.t1012,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_scm_database_handle_failure.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4656$
4 | SC_MANAGER OBJECT
5 | servicesactive
6 | Audit Failure
7 | 0x3e4
8 | ATT&CK: SCM Database Handle Failure
9 | Detects non-system users failing to get a handle of the SCM database.
10 | Falsepositives: Unknown.
11 | Sigma UUID: 13addce7-47b2-4ca0-a98f-1de964d1d669
12 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
13 | MITRE
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_add_domain_trust.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4706$
4 | ATT&CK: Addition of Domain Trusts
5 | Addition of domains is seldom and should be verified for legitimacy.
6 | Falsepositives: Legitimate extension of domain structure.
7 | Sigma UUID: 0255a820-e564-4e40-af2b-6ac61160335c
8 | attack.persistence,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_backup_delete.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^524$
4 | Microsoft-Windows-Backup
5 | ATT&CK T1107: Backup Catalog Deleted
6 | Detects backup catalog deletions
7 | Falsepositives: Unknown.
8 | Sigma UUID: 9703792d-fd9a-456d-a672-ff92efe4806a
9 | https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
10 | https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
11 | attack.defense_evasion,attack.t1107,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_codeintegrity_check_failure.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5038$|^6281$
4 | ATT&CK T1009: Failed Code Integrity Checks
5 | Code integrity failures may indicate tampered executables.
6 | Falsepositives: Disk device errors.
7 | Sigma UUID: 470ec5fa-7b4e-4071-b200-4c753100f49b
8 | attack.defense_evasion,attack.t1009,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_dhcp_config.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^1033$
4 | Microsoft-Windows-DHCP-Server
5 | ATT&CK T1073: DHCP Server Loaded the CallOut DLL
6 | This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
7 | Falsepositives: Unknown.
8 | Sigma UUID: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
9 | https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
10 | https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
11 | https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
12 | attack.defense_evasion,attack.t1073,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_dns_config.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^150$|^770$
4 | ATT&CK T1073: DNS Server Error Failed Loading the ServerLevelPluginDLL
5 | This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
6 | Falsepositives: Unknown.
7 | Sigma UUID: cbe51394-cd93-4473-b555-edf0144952d9
8 | https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
9 | https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
10 | https://twitter.com/gentilkiwi/status/861641945944391680
11 | attack.defense_evasion,attack.t1073,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_dsrm_password_change.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4794$
4 | ATT&CK T1098: Password Change on Directory Service Restore Mode (DSRM) Account
5 | The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
6 | Falsepositives: Initial installation of a domain controller.
7 | Sigma UUID: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
8 | https://adsecurity.org/?p=1714
9 | attack.persistence,attack.privilege_escalation,attack.t1098,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_eventlog_cleared.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^104$
4 | Microsoft-Windows-Eventlog
5 | ATT&CK T1070: Eventlog Cleared
6 | One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
7 | Falsepositives: Unknown.
8 | Sigma UUID: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
9 | https://twitter.com/deviouspolack/status/832535435960209408
10 | https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
11 | attack.defense_evasion,attack.t1070,car.2016-04-002,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_failed_logon_reasons.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4625$|^4776$
4 | 0xC0000072|0xC000006F|0xC0000070|0xC0000413|0xC000018C|0xC000015B
5 | ATT&CK T1078: Account Tampering - Suspicious Failed Logon Reasons
6 | This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
7 | Falsepositives: User using a disabled account.
8 | Sigma UUID: 9eb99343-d336-4020-a3cd-67f3819e68ee
9 | https://twitter.com/SBousseaden/status/1101431884540710913
10 | attack.persistence,attack.privilege_escalation,attack.t1078,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_kerberos_manipulation.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^675$|^4768$|^4769$|^4771$
4 | 0x9|0xA|0xB|0xF|0x10|0x11|0x13|0x14|0x1A|0x1F|0x21|0x22|0x23|0x24|0x26|0x27|0x28|0x29|0x2C|0x2D|0x2E|0x2F|0x31|0x32|0x3E|0x3F|0x40|0x41|0x43|0x44
5 | ATT&CK T1212: Kerberos Manipulation
6 | This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
7 | Falsepositives: Faulty legacy applications.
8 | Sigma UUID: f7644214-0eb0-4ace-9455-331ec4c09253
9 | attack.credential_access,attack.t1212,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_local_anon_logon_created.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4720$
4 | ANONYMOUS\.*LOGON
5 | ATT&CK T1136: Suspicious Windows ANONYMOUS LOGON Local Account Created
6 | Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
7 | Falsepositives: Unknown.
8 | Sigma UUID: 1bbf25b9-8038-4154-a50b-118f2a32be27
9 | https://twitter.com/SBousseaden/status/1189469425482829824
10 | attack.persistence,attack.t1136,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_lsass_dump.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4656$
4 | \.:\\\\Windows\\\\System32\\\\lsass.exe
5 | 0x705
6 | SAM_DOMAIN
7 | ATT&CK T1003: Password Dumper Activity on LSASS
8 | Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
9 | Falsepositives: Unkown.
10 | Sigma UUID: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
11 | https://twitter.com/jackcr/status/807385668833968128
12 | attack.credential_access,attack.t1003,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_ntlm_auth.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^8002$
4 |
5 | ATT&CK T1075: NTLM Logon
6 | Detects logons using NTLM, which could be caused by a legacy source or attackers
7 | Falsepositives: Legacy hosts.
8 | Sigma UUID: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
9 | https://twitter.com/JohnLaTwC/status/1004895028995477505
10 | https://goo.gl/PsqrhT
11 | attack.lateral_movement,attack.t1075,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_psexec.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5145$
4 | \\\\\.*\\\\IPC\$
5 | -stdin|-stdout|-stderr
6 | !PSEXESVC
7 | ATT&CK T1077: Suspicious PsExec Execution
8 | detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
9 | Falsepositives: nothing observed so far.
10 | Sigma UUID: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
11 | https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
12 | attack.lateral_movement,attack.t1077,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_raccess_sensitive_fext.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5145$
4 | .pst|.ost|.msg|.nst|.oab|.edb|.nsf|.bak|.dmp|.kirbi|\\\\groups.xml|.rdp
5 | ATT&CK: Suspicious Access to Sensitive File Extensions
6 | Detects known sensitive file extensions
7 | Falsepositives: Help Desk operator doing backup or re-imaging end user machine or pentest or backup software. Users working with these data types or exchanging message files.
8 | Sigma UUID: 91c945bc-2ad1-4799-a591-4d00198a1215
9 | attack.collection,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_rottenpotato.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4624$
4 | 3
5 | ANONYMOUS_LOGON
6 | -
7 | 127.0.0.1
8 | ATT&CK T1171: RottenPotato Like Attack Pattern
9 | Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
10 | Falsepositives: Unknown.
11 | Sigma UUID: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
12 | https://twitter.com/SBousseaden/status/1195284233729777665
13 | attack.privilege_escalation,attack.credential_access,attack.t1171,MITRE
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_sam_dump.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^16$
4 | \\\\AppData\\\\Local\\\\Temp\\\\SAM-\.*.dmp
5 | ATT&CK T1003: SAM Dump to AppData
6 | Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
7 | Falsepositives: Penetration testing.
8 | Sigma UUID: 839dd1e8-eda8-4834-8145-01beeee33acd
9 | attack.credential_access,attack.t1003,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_samr_pwset.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_sdelete.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4656$|^4663$|^4658$
4 | .AAA|.ZZZ
5 | ATT&CK T1107 T1066 S0195: Secure Deletion with SDelete
6 | Detects renaming of file while deletion with SDelete tool
7 | Falsepositives: Legitime usage of SDelete.
8 | Sigma UUID: 39a80702-d7ca-4a83-b776-525b1f86a36d
9 | https://jpcertcc.github.io/ToolAnalysisResultSheet
10 | https://www.jpcert.or.jp/english/pub/sr/ir_research.html
11 | https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
12 | attack.defense_evasion,attack.t1107,attack.t1066,attack.s0195,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_security_eventlog_cleared.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^517$|^1102$
4 | ATT&CK T1070: Security Eventlog Cleared
5 | Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
6 | Falsepositives: Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog). System provisioning (system reset before the golden image creation).
7 | Sigma UUID: f2f01843-e7b8-4f95-a35a-d23584476423
8 | attack.defense_evasion,attack.t1070,car.2016-04-002,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_susp_wmi_login.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4624$
4 | \\\\WmiPrvSE.exe
5 | ATT&CK T1047: Login with WMI
6 | Detection of logins performed with WMI
7 | Falsepositives: Monitoring tools. Legitimate system administration.
8 | Sigma UUID: 5af54681-df95-4c26-854f-2565e13cfab0
9 | attack.execution,attack.t1047,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_suspicious_outbound_kerberos_connection.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5156$
4 | ^88$
5 | !\\lsass.exe$|\\opera.exe$|\\chrome.exe$|\\firefox.exe$
6 | ATT&CK T1208: Suspicious Outbound Kerberos Connection
7 | Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
8 | Falsepositives: Other browsers.
9 | Sigma UUID: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
10 | https://github.com/GhostPack/Rubeus8
11 | attack.lateral_movement,attack.t1208,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_svcctl_remote_service.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5145$
4 | \\\\\.*\\\\IPC\$
5 | svcctl
6 | WriteData
7 | ATT&CK: Remote Service Activity via SVCCTL Named Pipe
8 | Detects remote remote service activity via remote access to the svcctl named pipe
9 | Falsepositives: pentesting.
10 | Sigma UUID: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
11 | https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
12 | attack.lateral_movement,attack.persistence,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_syskey_registry_access.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4656$|^4663$
4 | key
5 | lsa\\\\JD$|lsa\\\\GBG$|lsa\\\\Skew1$|lsa\\\\Data$
6 | ATT&CK T1012: SysKey Registry Keys Access
7 | Detects handle requests and access operations to specific registry keys to calculate the SysKey
8 | Falsepositives: Unknown.
9 | Sigma UUID: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
10 | https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md
11 | attack.discovery,attack.t1012,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_usb_device_plugged.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^2003$|^2100$|^2102$
4 | ATT&CK T1200: USB Device Plugged
5 | Detects plugged USB devices
6 | Falsepositives: Legitimate administrative activity.
7 | Sigma UUID: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
8 | https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
9 | https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
10 | attack.initial_access,attack.t1200,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_user_creation.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4720$
4 | ATT&CK T1136: Local User Creation
5 | Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
6 | Falsepositives: Domain Controller Logs. Local accounts managed by privileged account management tools.
7 | Sigma UUID: 66b6be3d-55d0-4f47-9855-d69df21740ea
8 | https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
9 | attack.persistence,attack.t1136,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/builtin/win_vul_cve_2020_0688.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event4
3 | MSExchange Control Panel
4 | Error
5 | &__VIEWSTATE=
6 | ATT&CK T1190: CVE-2020-0688 Exploitation via Eventlog
7 | Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
8 | Falsepositives: Unknown.
9 | Sigma UUID: d6266bf5-935e-4661-b477-78772735a7cb
10 | https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
11 | attack.initial_access,attack.t1190,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/malware/mal_azorult_reg.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^12$|^13$
4 | SYSTEM\\\\\.*\\\\services\\\\localNETService
5 | ATT&CK T1112: Registy Entries For Azorult Malware
6 | Detects the presence of a registry key created during Azorult execution
7 | Falsepositives: unknown.
8 | Sigma UUID: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
9 | https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
10 | attack.execution,attack.t1112,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/malware/win_mal_ryuk.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\net.exe\s+stop\s+"samss" |\\\\net.exe\s+stop\s+"audioendpointbuilder" |\\\\net.exe\s+stop\s+"unistoresvc_?????"
4 | ATT&CK: Ryuk Ransomware
5 | Detects Ryuk Ransomware command lines
6 | Falsepositives: Unlikely.
7 | Sigma UUID: 0acaad27-9f02-4136-a243-c357202edd74
8 | https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
9 | MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/malware/win_mal_ursnif.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_13
3 | \\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\
4 | ATT&CK T1112: Ursnif
5 | Detects new registry key created by Ursnif malware.
6 | Falsepositives: Unknown.
7 | Sigma UUID: 21f17060-b282-4249-ade0-589ea3591558
8 | https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
9 | https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
10 | attack.execution,attack.t1112,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/other/win_defender_bypass.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4657$|^4656$|^4660$|^4663$
4 | \\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\
5 | ATT&CK T1089: Windows Defender Exclusion Set
6 | Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender
7 | Falsepositives: Intended inclusions by administrator.
8 | Sigma UUID: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
9 | https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
10 | attack.defense_evasion,attack.t1089,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/other/win_wmi_persistence.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^5861$|^5859$
4 | ActiveScriptEventConsumer|CommandLineEventConsumer|CommandLineTemplate
5 | ATT&CK T1047: WMI Persistence
6 | Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
7 | Falsepositives: Unknown (data set is too small; further testing needed).
8 | Sigma UUID: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
9 | https://twitter.com/mattifestation/status/899646620148539397
10 | https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
11 | attack.execution,attack.persistence,attack.t1047,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_alternate_powershell_hosts.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4103$|^400$
4 | !powershell.exe
5 | ATT&CK T1086: Alternate PowerShell Hosts
6 | Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
7 | Falsepositives: Programs using PowerShell directly without invocation of a dedicated interpreter. MSP Detection Searcher. Citrix ConfigSync.ps1.
8 | Sigma UUID: 64e8e417-c19a-475a-8d19-98ea705394cc
9 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
10 | attack.execution,attack.t1086,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_clear_powershell_history.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | del (Get-PSReadlineOption).HistorySavePath|Set-PSReadlineOption –HistorySaveStyle SaveNothing|Remove-Item (Get-PSReadlineOption).HistorySavePath|rm (Get-PSReadlineOption).HistorySavePath
4 | ATT&CK T1146: Clear PowerShell History
5 | Detects keywords that could indicate clearing PowerShell history
6 | Falsepositives: some PS-scripts.
7 | Sigma UUID: dfba4ce1-e0ea-495f-986e-97140f31af2d
8 | https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
9 | attack.defense_evasion,attack.t1146,MITRE
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_create_local_user.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4104$
4 | New-LocalUser
5 | ATT&CK T1086 T1136: PowerShell Create Local User
6 | Detects creation of a local user via PowerShell
7 | Falsepositives: Legitimate user creation.
8 | Sigma UUID: 243de76f-4725-4f2e-8225-a8a69b15ad61
9 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
10 | attack.execution,attack.t1086,attack.persistence,attack.t1136,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_data_compressed.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4104$
4 | -Recurse
5 | \|\.*Compress-Archive|Compress-Archive\.*\|
6 | ATT&CK T1002: Data Compressed - Powershell
7 | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
8 | Falsepositives: highly likely if archive ops are done via PS.
9 | Sigma UUID: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
10 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
11 | attack.exfiltration,attack.t1002,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_dnscat_execution.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4104$
4 | Start-Dnscat2
5 | ATT&CK T1048: Dnscat Execution
6 | Dnscat exfiltration tool execution
7 | Falsepositives: Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely).
8 | Sigma UUID: a6d67db4-6220-436d-8afc-f3842fe05d43
9 | attack.exfiltration,attack.t1048,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_exe_calling_ps.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^400$
4 | ^2.|^4.|^5.
5 | ^3.
6 | ATT&CK T1086: PowerShell Called from an Executable Version Mismatch
7 | Detects PowerShell called from an executable by the version mismatch method
8 | Falsepositives: Penetration Tests. Unknown.
9 | Sigma UUID: c70e019b-1479-4b65-b0cc-cd0c6093a599
10 | https://adsecurity.org/?p=2921
11 | attack.defense_evasion,attack.execution,attack.t1086,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_ntfs_ads_access.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | set-content
4 | -stream
5 | ATT&CK T1096: NTFS Alternate Data Stream
6 | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
7 | Falsepositives: unknown.
8 | Sigma UUID: 8c521530-5169-495d-a199-0a3a881ad24e
9 | http://www.powertheshell.com/ntfsstreams/
10 | attack.defense_evasion,attack.t1096,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_prompt_credentials.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4104$
4 | PromptForCredential
5 | ATT&CK T1086: PowerShell Credential Prompt
6 | Detects PowerShell calling a credential prompt
7 | Falsepositives: Unknown.
8 | Sigma UUID: ca8b77a9-d499-4095-b793-5d5f330d450e
9 | https://twitter.com/JohnLaTwC/status/850381440629981184
10 | https://t.co/ezOTGy1a1G
11 | attack.execution,attack.credential_access,attack.t1086,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_psattack.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4103$
4 | PS ATTACK!!!
5 | ATT&CK T1086: PowerShell PSAttack
6 | Detects the use of PSAttack PowerShell hack tool
7 | Falsepositives: Pentesters.
8 | Sigma UUID: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
9 | https://adsecurity.org/?p=2921
10 | attack.execution,attack.t1086,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_remote_powershell_session.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4103$|^400$
4 | ServerRemoteHost
5 | wsmprovhost.exe
6 | ATT&CK T1086: Remote PowerShell Session
7 | Detects remote PowerShell sessions
8 | Falsepositives: Legitimate use remote PowerShell sessions.
9 | Sigma UUID: 96b9f619-aa91-478f-bacb-c3e50f8df575
10 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
11 | attack.execution,attack.t1086,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_shellcode_b64.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^4104$
4 | AAAAYInlM
5 | OiCAAAAYInlM|OiJAAAAYInlM
6 | ATT&CK T1055 T1086: PowerShell ShellCode
7 | Detects Base64 encoded Shellcode
8 | Falsepositives: Unknown.
9 | Sigma UUID: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
10 | https://twitter.com/cyb3rops/status/1063072865992523776
11 | attack.privilege_escalation,attack.execution,attack.t1055,attack.t1086,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_suspicious_invocation_generic.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | -enc \.* -noni | -noni \.* -enc | -enc \.* -noninteractive | -noninteractive \.* -enc | -EncodedCommand \.* -noni | -noni \.* -EncodedCommand | -EncodedCommand \.* -noninteractive | -noninteractive \.* -EncodedCommand
4 | -w hidden | -window hidden | -windowstyle hidden
5 | ATT&CK T1086: Suspicious PowerShell Invocations - Generic
6 | Detects suspicious PowerShell invocation command parameters
7 | Falsepositives: Penetration tests. Very special / sneaky PowerShell scripts.
8 | Sigma UUID: 3d304fda-78aa-43ed-975c-d740798a49c1
9 | attack.execution,attack.t1086,MITRE
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_suspicious_invocation_specific.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | -nop -w hidden -c \.* [Convert]::FromBase64String| -w hidden -noni -nop -c "iex\(New-Object| -w hidden -ep bypass -Enc|powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run|bypass -noprofile -windowstyle hidden \(new-object system.net.webclient\).download|iex\(New-Object Net.WebClient\).Download
4 | ATT&CK T1086: Suspicious PowerShell Invocations - Specific
5 | Detects suspicious PowerShell invocation command parameters
6 | Falsepositives: Penetration tests.
7 | Sigma UUID: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
8 | attack.execution,attack.t1086,MITRE
9 |
10 |
--------------------------------------------------------------------------------
/ossec-rules/windows/powershell/powershell_wmimplant.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | WMImplant| change_user | gen_cli | command_exec | disable_wdigest | disable_winrm | enable_wdigest | enable_winrm | registry_mod | remote_posh | sched_job | service_mod | process_kill | active_users | basic_info | power_off | vacant_system | logon_events
4 | ATT&CK T1047: WMImplant Hack Tool
5 | Detects parameters used by WMImplant
6 | Falsepositives: Administrative scripts that use the same keywords..
7 | Sigma UUID: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
8 | https://github.com/FortyNorthSecurity/WMImplant
9 | attack.execution,attack.t1047,MITRE
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_advanced_ip_scanner.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\advanced_ip_scanner
4 | ATT&CK T1046: Advanced IP Scanner
5 | Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
6 | Falsepositives: Legitimate administrative use.
7 | Sigma UUID: bef37fa2-f205-4a7b-b484-0759bfd5f86f
8 | https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
9 | https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
10 | attack.discovery,attack.t1046,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_apt29_thinktanks.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | -noni\s+-ep\s+bypass\s+\$
4 | ATT&CK T1086: APT29
5 | This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
6 | Falsepositives: unknown.
7 | Sigma UUID: 033fe7d6-66d1-4240-ac6b-28908009c71f
8 | https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
9 | attack.execution,attack.g0016,attack.t1086,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_babyshark.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | reg\s+query\s+"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\s+Server\s+Client\\\\Default"|powershell.exe\s+mshta.exe\s+http|cmd.exe\s+/c\s+taskkill\s+/im\s+cmd.exe
4 | ATT&CK T1059 T1086 T1012 T1170: Baby Shark Activity
5 | Detects activity that could be related to Baby Shark malware
6 | Falsepositives: unknown.
7 | Sigma UUID: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
8 | https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
9 | attack.execution,attack.t1059,attack.t1086,attack.discovery,attack.t1012,attack.defense_evasion,attack.t1170,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_bluemashroom.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\regsvr32\.*\\\\AppData\\\\Local\\\\|\\\\AppData\\\\Local\\\\\.*,DllEntry
4 | ATT&CK T1117: BlueMashroom DLL Load
5 | Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
6 | Falsepositives: Unlikely.
7 | Sigma UUID: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
8 | https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
9 | attack.defense_evasion,attack.t1117,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_cloudhopper.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\cscript.exe
4 | .vbs\s+/shell
5 | ATT&CK T1064: WMIExec VBS Script
6 | Detects suspicious file execution by wscript and cscript
7 | Falsepositives: Unlikely.
8 | Sigma UUID: 966e4016-627f-44f7-8341-f394905c361f
9 | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
10 | attack.execution,attack.g0045,attack.t1064,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_dragonfly.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\crackmapexec.exe
4 | ATT&CK: CrackMapExecWin
5 | Detects CrackMapExecWin Activity as Described by NCSC
6 | Falsepositives: None.
7 | Sigma UUID: 04d9079e-3905-4b70-ad37-6bdf11304965
8 | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
9 | attack.g0035,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_emissarypanda_sep19.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\sllauncher.exe
4 | \\\\svchost.exe
5 | ATT&CK: Emissary Panda Malware SLLauncher
6 | Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
7 | Falsepositives: Unknown.
8 | Sigma UUID: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
9 | https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
10 | https://twitter.com/cyb3rops/status/1168863899531132929
11 | MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_hurricane_panda.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | localgroup\s+administrators\s+admin\s+/add|\\\\Win64.exe
4 | ATT&CK T1068: Hurricane Panda Activity
5 | Detects Hurricane Panda Activity
6 | Falsepositives: Unknown.
7 | Sigma UUID: 0eb2107b-a596-422e-b123-b389d5594ed7
8 | https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
9 | attack.privilege_escalation,attack.g0009,attack.t1068,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_ta17_293a_ps.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | ps.exe\s+-accepteula
4 | ATT&CK T1036: Ps.exe Renamed SysInternals Tool
5 | Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
6 | Falsepositives: Renamed SysInternals tool.
7 | Sigma UUID: 18da1007-3f26-470f-875d-f77faf1cab31
8 | https://www.us-cert.gov/ncas/alerts/TA17-293A
9 | attack.defense_evasion,attack.g0035,attack.t1036,car.2013-05-009,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_tropictrooper.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc
4 | ATT&CK T1085: TropicTrooper Campaign November 2018
5 | Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
6 | Sigma UUID: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
7 | https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
8 | attack.execution,attack.t1085,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_apt_zxshell.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | rundll32.exe \.*,zxFunction|rundll32.exe \.*,RemoteDiskXXXXX
4 | ATT&CK T1059 T1085: ZxShell Malware
5 | Detects a ZxShell start by the called and well-known function name
6 | Falsepositives: Unlikely.
7 | Sigma UUID: f0b70adb-0075-43b0-9745-e82a1c608fcc
8 | https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
9 | attack.g0001,attack.execution,attack.t1059,attack.defense_evasion,attack.t1085,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_cmdkey_recon.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\cmdkey.exe
4 | /list
5 | ATT&CK T1003: Cmdkey Cached Credentials Recon
6 | Detects usage of cmdkey to look for cached credentials
7 | Falsepositives: Legitimate administrative tasks..
8 | Sigma UUID: 07f8bdc2-c9b3-472a-9817-5a670b872f53
9 | https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
10 | https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
11 | attack.credential_access,attack.t1003,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_control_panel_item.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | .cpl
4 | ATT&CK T1196: Control Panel Items
5 | Detects the use of a control panel item (.cpl) outside of the System32 folder
6 | Falsepositives: Unknown.
7 | Sigma UUID: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
8 | attack.execution,attack.t1196,attack.defense_evasion,MITRE
9 |
10 |
11 |
12 | 260300
13 | \\\\System32\\\\|system32
14 | Whitelist Interaction: Control Panel Items
15 | attack.execution,attack.t1196,attack.defense_evasion,MITRE
16 |
17 |
18 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_crime_fireball.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\rundll32.exe \.*,InstallArcherSvc
4 | ATT&CK T1059 T1085: Fireball Archer Install
5 | Detects Archer malware invocation via rundll32
6 | Falsepositives: Unknown.
7 | Sigma UUID: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
8 | https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
9 | https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
10 | attack.execution,attack.t1059,attack.defense_evasion,attack.t1085,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_dns_exfiltration_tools_execution.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\iodine.exe$
4 | \\\\dnscat2
5 | ATT&CK T1048: DNS Exfiltration Tools Execution
6 | Well-known DNS Exfiltration tools execution
7 | Falsepositives: Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely).
8 | Sigma UUID: 98a96a5a-64a0-4c42-92c5-489da3866cb0
9 | attack.exfiltration,attack.t1048,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_encoded_frombase64string.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | ::FromBase64String
4 | ATT&CK T1086 T1140: Encoded FromBase64String
5 | Detects a base64 encoded FromBase64String keyword in a process command line
6 | Falsepositives: unknown.
7 | Sigma UUID: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
8 | attack.t1086,attack.t1140,attack.execution,attack.defense_evasion,MITRE
9 |
10 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_encoded_iex.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | IEX\s+\([|iex\s+\([|iex\s+\(New|IEX\s+\(New
4 | ATT&CK T1086 T1140: Encoded IEX
5 | Detects a base64 encoded IEX command string in a process command line
6 | Falsepositives: unknown.
7 | Sigma UUID: 88f680b8-070e-402c-ae11-d2914f2257f1
8 | attack.t1086,attack.t1140,attack.execution,MITRE
9 |
10 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\plink.exe$|\\\\socat.exe$|\\\\stunnel.exe$|\\\\httptunnel.exe$
4 | ATT&CK T1020: Exfiltration and Tunneling Tools Execution
5 | Execution of well known tools for data exfiltration and tunneling
6 | Falsepositives: Legitimate Administrator using tools.
7 | Sigma UUID: c75309a3-59f8-4a8d-9c2c-4c927ad50555
8 | attack.exfiltration,attack.t1020,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_exploit_cve_2015_1641.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\WINWORD.EXE
4 | \\\\MicroScMgmt.exe
5 | ATT&CK T1036: Exploit for CVE-2015-1641
6 | Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
7 | Falsepositives: Unknown.
8 | Sigma UUID: 7993792c-5ce2-4475-a3db-a3a5539827ef
9 | https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
10 | https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
11 | attack.defense_evasion,attack.t1036,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_exploit_cve_2017_0261.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\WINWORD.EXE
4 | \\\\FLTLDR.exe
5 | ATT&CK T1055: Exploit for CVE-2017-0261
6 | Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
7 | Falsepositives: Several false positives identified, check for suspicious file names or locations (e.g. Temp folders).
8 | Sigma UUID: 864403a1-36c9-40a2-a982-4c9a45f7d833
9 | https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
10 | attack.defense_evasion,attack.privilege_escalation,attack.t1055,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_exploit_cve_2017_8759.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\WINWORD.EXE
4 | \\\\csc.exe
5 | ATT&CK T1203: Exploit for CVE-2017-8759
6 | Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
7 | Falsepositives: Unknown.
8 | Sigma UUID: fdd84c68-a1f6-47c9-9477-920584f94905
9 | https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
10 | https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
11 | attack.execution,attack.t1203,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_hack_koadic.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | cmd.exe\.* /q\s+/c\s+chcp
4 | ATT&CK T1170: Koadic Execution
5 | Detects command line parameters used by Koadic hack tool
6 | Falsepositives: Pentest.
7 | Sigma UUID: 5cddf373-ef00-4112-ad72-960ac29bac34
8 | https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
9 | https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
10 | https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
11 | attack.execution,attack.t1170,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_hack_rubeus.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | asreproast | dump\s+/service:krbtgt | kerberoast | createnetonly\s+/program:| ptt\s+/ticket:| /impersonateuser:| renew\s+/ticket:| asktgt\s+/user:| harvest\s+/interval:
4 | ATT&CK T1003 S0005: Rubeus Hack Tool
5 | Detects command line parameters used by Rubeus hack tool
6 | Falsepositives: unlikely.
7 | Sigma UUID: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
8 | https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
9 | attack.credential_access,attack.t1003,attack.s0005,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_hh_chm.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\hh.exe$
4 | .chm
5 | ATT&CK T1223: HH.exe Execution
6 | Identifies usage of hh.exe executing recently modified .chm files.
7 | Falsepositives: unlike.
8 | Sigma UUID: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
9 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
10 | https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
11 | attack.defense_evasion,attack.execution,attack.t1223,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_html_help_spawn.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \.:\\\\Windows\\\\hh.exe
4 | \\\\cmd.exe$|\\\\powershell.exe$|\\\\wscript.exe$|\\\\cscript.exe$|\\\\regsvr32.exe$|\\\\wmic.exe$|\\\\rundll32.exe$
5 | ATT&CK T1223: HTML Help Shell Spawn
6 | Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
7 | Falsepositives: unknown.
8 | Sigma UUID: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
9 | https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
10 | attack.execution,attack.defense_evasion,attack.t1223,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_interactive_at.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\at.exe$
4 | interactive
5 | ATT&CK T1053: Interactive AT Job
6 | Detect an interactive AT job, which may be used as a form of privilege escalation
7 | Falsepositives: Unlikely (at.exe deprecated as of Windows 8).
8 | Sigma UUID: 60fc936d-2eb0-4543-8a13-911c750a1dfc
9 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
10 | https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
11 | attack.privilege_escalation,attack.t1053,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.xml:
--------------------------------------------------------------------------------
1 |
2 |
10 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | Medium
4 | System
5 | NT AUTHORITY\\\\SYSTEM
6 | ATT&CK T1068: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
7 | Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
8 | Falsepositives: Unknown.
9 | Sigma UUID: 8065b1b4-1778-4427-877f-6bf948b26d38
10 | https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
11 | attack.privilege_escalation,attack.t1068,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_lethalhta.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\svchost.exe
4 | \\\\mshta.exe
5 | ATT&CK T1170: MSHTA Spwaned by SVCHOST
6 | Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
7 | Falsepositives: Unknown.
8 | Sigma UUID: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
9 | https://codewhitesec.blogspot.com/2018/07/lethalhta.html
10 | attack.defense_evasion,attack.execution,attack.t1170,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_malware_dtrack.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | echo\s+EEEE\s+>
4 | ATT&CK: DTRACK Process Creation
5 | Detects specific process parameters as seen in DTRACK infections
6 | Falsepositives: Unlikely.
7 | Sigma UUID: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
8 | https://securelist.com/my-name-is-dtrack/93338/
9 | https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
10 | https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
11 | MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_malware_ryuk.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | Microsoft\\\\Windows\\\\CurrentVersion\\\\Run
4 | \.:\\\\users\\\\Public\\\\
5 | ATT&CK: Ryuk Ransomware
6 | Detects Ryuk ransomware activity
7 | Falsepositives: Unlikely.
8 | Sigma UUID: c37510b8-2107-4b78-aa32-72f251e7a844
9 | https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
10 | MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_malware_trickbot_recon_activity.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\nltest.exe
4 | /domain_trusts\s+/all_trusts|/domain_trusts
5 | ATT&CK T1482: Trickbot Malware Recon Activity
6 | Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
7 | Falsepositives: Rare System Admin Activity.
8 | Sigma UUID: 410ad193-a728-4107-bc79-4419789fcbf8
9 | https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
10 | attack.t1482,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_mavinject_proc_inj.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | /INJECTRUNNING
4 | ATT&CK T1055 T1218: MavInject Process Injection
5 | Detects process injection using the signed Windows tool Mavinject32.exe
6 | Falsepositives: unknown.
7 | Sigma UUID: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
8 | https://twitter.com/gN3mes1s/status/941315826107510784
9 | https://reaqta.com/2017/12/mavinject-microsoft-injector/
10 | https://twitter.com/Hexacorn/status/776122138063409152
11 | attack.t1055,attack.t1218,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_mmc_spawn_shell.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\mmc.exe
4 | \\\\cmd.exe|\\\\powershell.exe|\\\\wscript.exe|\\\\cscript.exe|\\\\sh.exe|\\\\bash.exe|\\\\reg.exe|\\\\regsvr32.exe|\\\\BITSADMIN
5 | ATT&CK T1175: MMC Spawning Windows Shell
6 | Detects a Windows command line executable started from MMC.
7 | Sigma UUID: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
8 | attack.lateral_movement,attack.t1175,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_mshta_javascript.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\mshta.exe$
4 | javascript
5 | ATT&CK T1170: Mshta JavaScript Execution
6 | Identifies suspicious mshta.exe commands
7 | Falsepositives: unknown.
8 | Sigma UUID: 67f113fa-e23d-4271-befa-30113b3e08b1
9 | https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
10 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
11 | attack.execution,attack.defense_evasion,attack.t1170,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_mshta_spawn_shell.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\mshta.exe
4 | \\\\cmd.exe|\\\\powershell.exe|\\\\wscript.exe|\\\\cscript.exe|\\\\sh.exe|\\\\bash.exe|\\\\reg.exe|\\\\regsvr32.exe|\\\\BITSADMIN
5 | ATT&CK T1170: MSHTA Spawning Windows Shell
6 | Detects a Windows command line executable started from MSHTA.
7 | Falsepositives: Printer software / driver installations. HP software.
8 | Sigma UUID: 03cc0c25-389f-4bf8-b48d-11878079f1ca
9 | https://www.trustedsec.com/july-2015/malicious-htas/
10 | attack.defense_evasion,attack.execution,attack.t1170,car.2013-02-003,car.2013-03-001,car.2014-04-003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_netsh_fw_add.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | netsh
4 | firewall\s+add
5 | ATT&CK T1090: Netsh Port or Application Allowed
6 | Allow Incoming Connections by Port or Application on Windows Firewall
7 | Falsepositives: Legitimate administration.
8 | Sigma UUID: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
9 | https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
10 | https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
11 | attack.lateral_movement,attack.command_and_control,attack.t1090,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_netsh_packet_capture.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | netsh
4 | trace
5 | start
6 | ATT&CK T1040: Capture a Network Trace with netsh.exe
7 | Detects capture a network trace via netsh.exe trace functionality
8 | Falsepositives: Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason.
9 | Sigma UUID: d3c3861d-c504-4c77-ba55-224ba82d0118
10 | https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
11 | attack.discovery,attack.t1040,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_netsh_port_fwd.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | netsh\s+interface\s+portproxy\s+add\s+v4tov4
4 | ATT&CK T1090: Netsh Port Forwarding
5 | Detects netsh commands that configure a port forwarding
6 | Falsepositives: Legitimate administration.
7 | Sigma UUID: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
8 | https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
9 | attack.lateral_movement,attack.command_and_control,attack.t1090,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_netsh_port_fwd_3389.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | netsh\s+i\.* p\.*=3389\s+c
4 | ATT&CK T1021: Netsh RDP Port Forwarding
5 | Detects netsh commands that configure a port forwarding of port 3389 used for RDP
6 | Falsepositives: Legitimate administration.
7 | Sigma UUID: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
8 | https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
9 | attack.lateral_movement,attack.t1021,car.2013-07-002,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_netsh_wifi_credential_harvesting.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | netsh\s+wlan\s+s\.* p\.* k\.*=clear
4 | ATT&CK T1040: Harvesting of Wifi Credentials Using netsh.exe
5 | Detect the harvesting of wifi credentials using netsh.exe
6 | Falsepositives: Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason.
7 | Sigma UUID: 42b1a5b8-353f-4f10-b256-39de4467faff
8 | https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
9 | attack.discovery,attack.t1040,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_non_interactive_powershell.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\powershell.exe$
4 | !\\windows\\explorer.exe
5 | ATT&CK T1086: Non Interactive PowerShell
6 | Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
7 | Falsepositives: Legitimate programs executing PowerShell scripts.
8 | Sigma UUID: f4bbd493-b796-416e-bbf2-121235348529
9 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md
10 | attack.execution,attack.t1086,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_amsi_bypass.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | System.Management.Automation.AmsiUtils
4 | amsiInitFailed
5 | ATT&CK T1086: Powershell AMSI Bypass via .NET Reflection
6 | Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
7 | Falsepositives: Potential Admin Activity.
8 | Sigma UUID: 30edb182-aa75-42c0-b0a9-e998bb29067c
9 | https://twitter.com/mattifestation/status/735261176745988096
10 | https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
11 | attack.execution,attack.defense_evasion,attack.t1086,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_audio_capture.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | WindowsAudioDevice-Powershell-Cmdlet
4 | ATT&CK T1123: Audio Capture via PowerShell
5 | Detects audio capture via PowerShell Cmdlet
6 | Falsepositives: Legitimate audio capture by legitimate user.
7 | Sigma UUID: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
8 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
9 | https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
10 | attack.collection,attack.t1123,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_b64_shellcode.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | AAAAYInlM
4 | OiCAAAAYInlM|OiJAAAAYInlM
5 | ATT&CK T1036: PowerShell Base64 Encoded Shellcode
6 | Detects Base64 encoded Shellcode
7 | Falsepositives: Unknown.
8 | Sigma UUID: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
9 | https://twitter.com/cyb3rops/status/1063072865992523776
10 | attack.defense_evasion,attack.t1036,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_bitsjob.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\powershell.exe$
4 | Start-BitsTransfer
5 | ATT&CK T1197: Suspicious Bitsadmin Job via PowerShell
6 | Detect download by BITS jobs via PowerShell
7 | Falsepositives: Unknown.
8 | Sigma UUID: f67dbfce-93bc-440d-86ad-a95ae8858c90
9 | https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
10 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
11 | attack.defense_evasion,attack.persistence,attack.t1197,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_downgrade_attack.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | -version\s+2 | -versio\s+2 | -versi\s+2 | -vers\s+2 | -ver\s+2 | -ve\s+2
4 | \\\\powershell.exe$
5 | ATT&CK T1086: PowerShell Downgrade Attack
6 | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
7 | Falsepositives: Penetration Test. Unknown.
8 | Sigma UUID: b3512211-c67e-4707-bedc-66efc7848863
9 | http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
10 | attack.defense_evasion,attack.execution,attack.t1086,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_download.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\powershell.exe
4 | new-object\s+system.net.webclient\).downloadstring\(|new-object\s+system.net.webclient\).downloadfile\(|new-object\s+net.webclient\).downloadstring\(|new-object\s+net.webclient\).downloadfile\(
5 | ATT&CK T1086: PowerShell Download from URL
6 | Detects a Powershell process that contains download commands in its command line string
7 | Falsepositives: unknown.
8 | Sigma UUID: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
9 | attack.t1086,attack.execution,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_frombase64string.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | ::FromBase64String\(
4 | ATT&CK T1027: FromBase64String Command Line
5 | Detects suspicious FromBase64String expressions in command line arguments
6 | Falsepositives: Administrative script libraries.
7 | Sigma UUID: e32d4572-9826-4738-b651-95fa63747e8a
8 | https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
9 | attack.t1027,attack.defense_evasion,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_powershell_xor_commandline.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | -bxor
4 | ATT&CK T1086: Suspicious XOR Encoded PowerShell Command Line
5 | Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
6 | Falsepositives: unknown.
7 | Sigma UUID: bb780e0c-16cf-4383-8383-1e5471db6cf9
8 | attack.execution,attack.t1086,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_process_dump_rundll32_comsvcs.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | comsvcs.dll,#24|comsvcs.dll,MiniDump
4 | ATT&CK T1036 T1003: Process Dump via Rundll32 and Comsvcs.dll
5 | Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
6 | Falsepositives: Unlikely, because no one should dump the process memory in that way.
7 | Sigma UUID: 646ea171-dded-4578-8a4d-65e9822892e3
8 | https://twitter.com/shantanukhande/status/1229348874298388484
9 | attack.defense_evasion,attack.t1036,attack.credential_access,attack.t1003,car.2013-05-009,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_psexesvc_start.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \.:\\\\Windows\\\\PSEXESVC.exe
4 | ATT&CK T1035 S0029: PsExec Service Start
5 | Detects a PsExec service start
6 | Falsepositives: Administrative activity.
7 | Sigma UUID: 3ede524d-21cc-472d-a3ce-d21b568d8db7
8 | attack.execution,attack.t1035,attack.s0029,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_rdp_hijack_shadowing.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | noconsentprompt
4 | shadow:
5 | ATT&CK: MSTSC Shadowing
6 | Detects RDP session hijacking by using MSTSC shadowing
7 | Falsepositives: Unknown.
8 | Sigma UUID: 6ba5a05f-b095-4f0a-8654-b825f4f16334
9 | https://twitter.com/kmkz_security/status/1220694202301976576
10 | https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet
11 | MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_remote_powershell_session_process.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\wsmprovhost.exe$
4 | \\\\wsmprovhost.exe$
5 | ATT&CK T1086: Remote PowerShell Session
6 | Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
7 | Falsepositives: Legitimate usage of remote Powershell, e.g. for monitoring purposes.
8 | Sigma UUID: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
9 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
10 | attack.execution,attack.t1086,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_renamed_powershell.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | Windows PowerShell
4 | Microsoft Corporation
5 | !\\powershell.exe|\\powershell_ise.exe
6 | ATT&CK: Renamed PowerShell
7 | Detects the execution of a renamed PowerShell often used by attackers or malware
8 | Falsepositives: Unknown.
9 | Sigma UUID: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
10 | https://twitter.com/christophetd/status/1164506034720952320
11 | car.2013-05-009,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_renamed_procdump.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | procdump
4 | ATT&CK T1036: Renamed ProcDump
5 | !\\procdump.exe|\\procdump64.exe
6 | Detects the execution of a renamed ProcDump executable often used by attackers or malware
7 | Falsepositives: Procdump illegaly bundled with legitimate software. Weird admins who renamed binaries.
8 | Sigma UUID: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
9 | https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
10 | attack.defense_evasion,attack.t1036,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_renamed_psexec.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | Execute processes remotely
4 | Sysinternals PsExec
5 | !\\PsExec.exe|\\PsExec64.exe
6 | ATT&CK: Renamed PsExec
7 | Detects the execution of a renamed PsExec often used by attackers or malware
8 | Falsepositives: Software that illegaly integrates PsExec in a renamed form. Administrators that have renamed PsExec and no one knows why.
9 | Sigma UUID: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
10 | https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
11 | car.2013-05-009,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_run_powershell_script_from_ads.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\powershell.exe$
4 | \\\\powershell.exe$
5 | Get-Content
6 | -Stream
7 | ATT&CK T1096: Run PowerShell Script from ADS
8 | Detects PowerShell script execution from Alternate Data Stream (ADS)
9 | Falsepositives: Unknown.
10 | Sigma UUID: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
11 | https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1
12 | attack.defense_evasion,attack.t1096,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_sdbinst_shim_persistence.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\sdbinst.exe
4 | .sdb
5 | ATT&CK T1138: Possible Shim Database Persistence via sdbinst.exe
6 | Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
7 | Falsepositives: Unknown.
8 | Sigma UUID: 517490a7-115a-48c6-8862-1a481504d5a8
9 | https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
10 | attack.persistence,attack.t1138,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_service_execution.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\net.exe$|\\\\net1.exe$
4 | start
5 | ATT&CK T1035: Service Execution
6 | Detects manual service execution (start) via system utilities
7 | Falsepositives: Legitimate administrator or user executes a service for legitimate reason.
8 | Sigma UUID: 2a072a96-a086-49fa-bcb5-15cc5a619093
9 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
10 | attack.execution,attack.t1035,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_service_stop.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\sc.exe$|\\\\net.exe$|\\\\net1.exe$
4 | stop
5 | ATT&CK T1489: Stop Windows Service
6 | Detects a windows service to be stopped
7 | Falsepositives: Administrator shutting down the service due to upgrade or removal purposes.
8 | Sigma UUID: eb87818d-db5d-49cc-a987-d5da331fbd90
9 | attack.impact,attack.t1489,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_shadow_copies_access_symlink.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | mklink
4 | HarddiskVolumeShadowCopy
5 | ATT&CK T1003: Shadow Copies Access via Symlink
6 | Shadow Copies storage symbolic link creation using operating systems utilities
7 | Falsepositives: Legitimate administrator working with shadow copies, access for backup purposes.
8 | Sigma UUID: 40b19fa6-d835-400c-b301-41f3a2baacaf
9 | https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10 | attack.credential_access,attack.t1003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_soundrec_audio_capture.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\SoundRecorder.exe$
4 | /FILE
5 | ATT&CK T1123: Audio Capture via SoundRecorder
6 | Detect attacker collecting audio via SoundRecorder application
7 | Falsepositives: Legitimate audio capture by legitimate user.
8 | Sigma UUID: 83865853-59aa-449e-9600-74b9d89a6d6e
9 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
10 | https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
11 | attack.collection,attack.t1123,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_bcdedit.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\bcdedit.exe
4 | delete|deletevalue|import
5 | ATT&CK T1070 T1067: Possible Ransomware or Unauthorized MBR Modifications
6 | Detects, possibly, malicious unauthorized usage of bcdedit.exe
7 | Sigma UUID: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
8 | https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
9 | attack.defense_evasion,attack.t1070,attack.persistence,attack.t1067,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_bginfo.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\bginfo.exe$
4 | /popup
5 | /nolicprompt
6 | ATT&CK T1218: Application Whitelisting Bypass via Bginfo
7 | Execute VBscript code that is referenced within the *.bgi file.
8 | Falsepositives: Unknown.
9 | Sigma UUID: aaf46cdc-934e-4284-b329-34aa701e3771
10 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
11 | https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
12 | attack.defense_evasion,attack.execution,attack.t1218,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_cdb.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\cdb.exe$
4 | -cf
5 | ATT&CK T1218: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
6 | Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
7 | Falsepositives: Legitimate use of debugging tools.
8 | Sigma UUID: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
9 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
10 | http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
11 | attack.defense_evasion,attack.execution,attack.t1218,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_certutil_encode.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | certutil\s+-f\s+-encode |certutil.exe\s+-f\s+-encode |certutil\s+-encode\s+-f |certutil.exe\s+-encode\s+-f
4 | ATT&CK: Certutil Encode
5 | Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
6 | Falsepositives: unknown.
7 | Sigma UUID: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
8 | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
9 | https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
10 | MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_codepage_switch.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | chcp\.* 936|chcp\.* 1258
4 | ATT&CK: Suspicious Code Page Switch
5 | Detects a code page switch in command line or batch scripts to a rare language
6 | Falsepositives: Administrative activity (adjust code pages according to your organisation's region).
7 | Sigma UUID: c7942406-33dd-4377-a564-0f62db0593a3
8 | https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
9 | https://twitter.com/cglyer/status/1183756892952248325
10 | MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_control_dll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\System32\\\\control.exe
4 | \\\\rundll32.exe
5 | !Shell32.dll
6 | ATT&CK T1073 T1085: Suspicious Control Panel DLL Load
7 | Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
8 | Falsepositives: Unknown.
9 | Sigma UUID: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
10 | https://twitter.com/rikvduijn/status/853251879320662017
11 | attack.defense_evasion,attack.t1073,attack.t1085,car.2013-10-002,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_copy_lateral_movement.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | copy \.*\\\\c\$|copy \.*\\\\ADMIN\$
4 | ATT&CK T1077 T1105: Copy from Admin Share
5 | Detects a suspicious copy command from a remote C$ or ADMIN$ share
6 | Falsepositives: Administrative scripts.
7 | Sigma UUID: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
8 | https://twitter.com/SBousseaden/status/1211636381086339073
9 | attack.lateral_movement,attack.t1077,attack.t1105,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_crackmapexec_execution.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | cmd.exe\s+/Q\s+/c \.* 1>\s+\\\\\\\\\.*\\\\\.*\\\\\.* 2>&1|cmd.exe\s+/C \.* >\s+\\\\\\\\\.*\\\\\.*\\\\\.* 2>&1|cmd.exe\s+/C \.* > \.*\\\\\\\\Temp\\\\\.* 2>&1|powershell.exe\s+-exec\s+bypass\s+-noni\s+-nop\s+-w\s+1\s+-C\s+"|powershell.exe\s+-noni\s+-nop\s+-w\s+1\s+-enc
4 | ATT&CK T1047 T1053 T1086: CrackMapExec Command Execution
5 | Detect various execution methods of the CrackMapExec pentesting framework
6 | Falsepositives: Unknown.
7 | Sigma UUID: 058f4380-962d-40a5-afce-50207d36d7e2
8 | https://github.com/byt3bl33d3r/CrackMapExec
9 | attack.execution,attack.t1047,attack.t1053,attack.t1086,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_csc.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\csc.exe
4 | \\\\wscript.exe|\\\\cscript.exe|\\\\mshta.exe
5 | ATT&CK T1036: Suspicious Parent of Csc.exe
6 | Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
7 | Falsepositives: Unkown.
8 | Sigma UUID: b730a276-6b63-41b8-bcf8-55930c8fc6ee
9 | https://twitter.com/SBousseaden/status/1094924091256176641
10 | attack.defense_evasion,attack.t1036,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_curl_start_combo.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | curl\.* start
4 | ATT&CK T1218: Curl Start Combination
5 | Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
6 | Falsepositives: Administrative scripts (installers).
7 | Sigma UUID: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
8 | https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
9 | attack.execution,attack.t1218,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_devtoolslauncher.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\devtoolslauncher.exe$
4 | LaunchForDeploy
5 | ATT&CK T1218: Devtoolslauncher.exe Executes Specified Binary
6 | The Devtoolslauncher.exe executes other binary
7 | Falsepositives: Legitimate use of devtoolslauncher.exe by legitimate user.
8 | Sigma UUID: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
9 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
10 | https://twitter.com/_felamos/status/1179811992841797632
11 | attack.defense_evasion,attack.execution,attack.t1218,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_dnx.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\dnx.exe$
4 | ATT&CK T1218: Application Whitelisting Bypass via Dnx.exe
5 | Execute C# code located in the consoleapp folder
6 | Falsepositives: Legitimate use of dnx.exe by legitimate user.
7 | Sigma UUID: 81ebd28b-9607-4478-bf06-974ed9d53ed7
8 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
9 | https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
10 | attack.defense_evasion,attack.execution,attack.t1218,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_double_extension.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | .doc.exe|.docx.exe|.xls.exe|.xlsx.exe|.ppt.exe|.pptx.exe|.rtf.exe|.pdf.exe|.txt.exe| .exe|______.exe
4 | ATT&CK T1193: Suspicious Double Extension
5 | Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
6 | Falsepositives: Unknown.
7 | Sigma UUID: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
8 | https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
9 | https://twitter.com/blackorbird/status/1140519090961825792
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_dxcap.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\dxcap.exe$
4 | -c
5 | .exe
6 | ATT&CK T1218: Application Whitelisting Bypass via Dxcap.exe
7 | Detects execution of of Dxcap.exe
8 | Falsepositives: Legitimate execution of dxcap.exe by legitimate user.
9 | Sigma UUID: 60f16a96-db70-42eb-8f76-16763e333590
10 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
11 | https://twitter.com/harr0ey/status/992008180904419328
12 | attack.defense_evasion,attack.execution,attack.t1218,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_execution_path.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\\$Recycle.bin|\\\\Users\\\\All Users\\\\|\\\\Users\\\\Default\\\\|\\\\Users\\\\Public\\\\|\.:\\\\Perflogs\\\\|\\\\config\\\\systemprofile\\\\|\\\\Windows\\\\Fonts\\\\|\\\\Windows\\\\IME\\\\|\\\\Windows\\\\addins\\\\
4 | ATT&CK T1036: Execution in Non-Executable Folder
5 | Detects a suspicious exection from an uncommon folder
6 | Falsepositives: Unknown.
7 | Sigma UUID: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
8 | attack.defense_evasion,attack.t1036,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_firewall_disable.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | netsh\s+firewall\s+set\s+opmode\s+mode=disable|netsh\s+advfirewall\s+set \.* state\s+off
4 | ATT&CK: Firewall Disabled via Netsh
5 | Detects netsh commands that turns off the Windows firewall
6 | Falsepositives: Legitimate administration.
7 | Sigma UUID: 57c4bf16-227f-4394-8ec7-1b745ee061c3
8 | https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
9 | https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
10 | attack.defense_evasion,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_iss_module_install.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\APPCMD.EXE\s+install\s+module\s+/name:
4 | ATT&CK T1100: IIS Native-Code Module Command Line Installation
5 | Detects suspicious IIS native-code module installations via command line
6 | Falsepositives: Unknown as it may vary from organisation to arganisation how admins use to install IIS modules.
7 | Sigma UUID: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
8 | https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
9 | attack.persistence,attack.t1100,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_msiexec_cwd.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\msiexec.exe
4 | !:\\Windows\\System32\\|:\\Windows\\SysWOW64\\|:\\Windows\\WinSxS\\
5 | ATT&CK T1036: Suspicious MsiExec Directory
6 | Detects suspicious msiexec process starts in an uncommon directory
7 | Falsepositives: Unknown.
8 | Sigma UUID: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
9 | https://twitter.com/200_okay_/status/1194765831911215104
10 | attack.defense_evasion,attack.t1036,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_msiexec_web_install.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | msiexec\.://
4 | ATT&CK: MsiExec Web Install
5 | Detects suspicious msiexec process starts with web addreses as parameter
6 | Falsepositives: False positives depend on scripts and administrative tools used in the monitored environment.
7 | Sigma UUID: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
8 | https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
9 | attack.defense_evasion,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_msoffice.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\powerpnt.exe$|\\\\winword.exe$|\\\\excel.exe$
4 | http
5 | ATT&CK T1105: Malicious Payload Download via Office Binaries
6 | Downloads payload from remote server
7 | Falsepositives: Unknown.
8 | Sigma UUID: 0c79148b-118e-472b-bdb7-9b57b444cc19
9 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml
10 | https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
11 | Reegun J (OCBC Bank)
12 | attack.command_and_control,attack.t1105,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_netsh_dll_persistence.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\netsh.exe$
4 | add
5 | helper
6 | ATT&CK T1128: Suspicious Netsh DLL Persistence
7 | Detects persitence via netsh helper
8 | Falsepositives: Unknown.
9 | Sigma UUID: 56321594-9087-49d9-bf10-524fe8479452
10 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md
11 | attack.persistence,attack.t1128,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_ntdsutil.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\ntdsutil
4 | ATT&CK T1003: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
5 | Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
6 | Falsepositives: NTDS maintenance.
7 | Sigma UUID: 2afafd61-6aae-4df4-baed-139fa1f4c345
8 | https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
9 | attack.credential_access,attack.t1003,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_openwith.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\OpenWith.exe$
4 | /c
5 | ATT&CK T1218: OpenWith.exe Executes Specified Binary
6 | The OpenWith.exe executes other binary
7 | Falsepositives: Legitimate use of OpenWith.exe by legitimate user.
8 | Sigma UUID: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
9 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml
10 | https://twitter.com/harr0ey/status/991670870384021504
11 | attack.defense_evasion,attack.execution,attack.t1218,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_outlook_temp.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\Temporary Internet Files\\\\Content.Outlook\\\\
4 | ATT&CK T1193: Execution in Outlook Temp Folder
5 | Detects a suspicious program execution in Outlook temp folder
6 | Falsepositives: Unknown.
7 | Sigma UUID: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
8 | attack.initial_access,attack.t1193,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_ping_hex_ip.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\ping.exe\s+0x|\\\\ping\s+0x
4 | ATT&CK T1140 T1027: Ping Hex IP
5 | Detects a ping command that uses a hex encoded IP address
6 | Falsepositives: Unlikely, because no sane admin pings IP addresses in a hexadecimal form.
7 | Sigma UUID: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
8 | https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
9 | https://twitter.com/vysecurity/status/977198418354491392
10 | attack.defense_evasion,attack.t1140,attack.t1027,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_powershell_parent_combo.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\wscript.exe|\\\\cscript.exe
4 | \\\\powershell.exe
5 | !\\Health Service State\\
6 | ATT&CK T1086: Suspicious PowerShell Invocation Based on Parent Process
7 | Detects suspicious powershell invocations from interpreters or unusual programs
8 | Falsepositives: Microsoft Operations Manager (MOM). Other scripts.
9 | Sigma UUID: 95eadcb2-92e4-4ed1-9031-92547773a6db
10 | https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
11 | attack.execution,attack.t1086,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_prog_location_process_starts.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\\$Recycle.bin|\\\\Users\\\\Public\\\\|\.:\\\\Perflogs\\\\|\\\\Windows\\\\Fonts\\\\|\\\\Windows\\\\IME\\\\|\\\\Windows\\\\addins\\\\|\\\\Windows\\\\debug\\\\
4 | ATT&CK T1036: Suspicious Program Location Process Starts
5 | Detects programs running in suspicious files system locations
6 | Falsepositives: unknown.
7 | Sigma UUID: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5
8 | https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
9 | attack.defense_evasion,attack.t1036,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_ps_appdata.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | /c\s+powershell\.*\\\\AppData\\\\Local\\\\| /c\s+powershell\.*\\\\AppData\\\\Roaming\\\\
4 | ATT&CK T1086: PowerShell Script Run in AppData
5 | Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
6 | Falsepositives: Administrative scripts.
7 | Sigma UUID: ac175779-025a-4f12-98b0-acdaeb77ea85
8 | https://twitter.com/JohnLaTwC/status/1082851155481288706
9 | https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
10 | attack.execution,attack.t1086,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_ps_downloadfile.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | powershell
4 | .DownloadFile
5 | System.Net.WebClient
6 | ATT&CK T1086: PowerShell DownloadFile
7 | Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
8 | Falsepositives: Unknown.
9 | Sigma UUID: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
10 | https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
11 | attack.execution,attack.t1086,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_psr_capture_screenshots.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\Psr.exe$
4 | /start
5 | ATT&CK T1218: Psr.exe Capture Screenshots
6 | The psr.exe captures desktop screenshots and saves them on the local machine
7 | Falsepositives: Unknown.
8 | Sigma UUID: 2158f96f-43c2-43cb-952a-ab4580f32382
9 | https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml
10 | https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
11 | attack.persistence,attack.t1218,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_rasdial_activity.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | rasdial
4 | ATT&CK T1064: Suspicious RASdial Activity
5 | Detects suspicious process related to rasdial.exe
6 | Falsepositives: False positives depend on scripts and administrative tools used in the monitored environment.
7 | Sigma UUID: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
8 | https://twitter.com/subTee/status/891298217907830785
9 | attack.defense_evasion,attack.execution,attack.t1064,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_recon_activity.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | net\s+group\s+"domain\s+admins"\s+/domain|net\s+localgroup\s+administrators
4 | ATT&CK T1087: Suspicious Reconnaissance Activity
5 | Detects suspicious command line activity on Windows systems
6 | Falsepositives: Inventory tool runs. Penetration tests. Administrative activity.
7 | Sigma UUID: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
8 | attack.discovery,attack.t1087,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_renamed_dctask64.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | IMPPHASH=6834B1B94E49701D77CCB3C0895E1AFD
4 | !\\dctask64.exe
5 | ATT&CK T1055: Renamed ZOHO Dctask64
6 | Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
7 | Falsepositives: Unknown yet.
8 | Sigma UUID: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
9 | https://twitter.com/gN3mes1s/status/1222088214581825540
10 | https://twitter.com/gN3mes1s/status/1222095963789111296
11 | https://twitter.com/gN3mes1s/status/1222095371175911424
12 | attack.defense_evasion,attack.t1055,MITRE
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_schtask_creation.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\schtasks.exe
4 | /create
5 | !NT AUTHORITY\\SYSTEM
6 | ATT&CK T1053 S0111: Scheduled Task Creation
7 | Detects the creation of scheduled tasks in user session
8 | Falsepositives: Administrative activity. Software installation.
9 | Sigma UUID: 92626ddd-662c-49e3-ac59-f6535f12d189
10 | attack.execution,attack.persistence,attack.privilege_escalation,attack.t1053,attack.s0111,car.2013-08-001,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_script_execution.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\wscript.exe$|\\\\cscript.exe$
4 | .jse|.vbe|.js|.vba
5 | ATT&CK T1064: WSF/JSE/JS/VBA/VBE File Execution
6 | Detects suspicious file execution by wscript and cscript
7 | Falsepositives: Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy..
8 | Sigma UUID: 1e33157c-53b1-41ad-bbcc-780b80b58288
9 | attack.execution,attack.t1064,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_service_path_modification.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\sc.exe$
4 | config
5 | binpath
6 | powershell|cmd
7 | ATT&CK T1031: Suspicious Service Path Modification
8 | Detects service path modification to powershell/cmd
9 | Falsepositives: Unknown.
10 | Sigma UUID: 138d3531-8793-4f50-a2cd-f291b2863d78
11 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
12 | attack.persistence,attack.t1031,MITRE
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_sysprep_appdata.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\sysprep.exe \.*\\\\AppData\\\\|sysprep.exe \.*\\\\AppData\\\\
4 | ATT&CK: Sysprep on AppData Folder
5 | Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
6 | Falsepositives: False positives depend on scripts and administrative tools used in the monitored environment.
7 | Sigma UUID: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
8 | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
9 | https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
10 | attack.execution,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_sysvol_access.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\SYSVOL\\\\\.*\\\\policies\\\\
4 | ATT&CK T1003: Suspicious SYSVOL Domain Group Policy Access
5 | Detects Access to Domain Group Policies stored in SYSVOL
6 | Falsepositives: administrative activity.
7 | Sigma UUID: 05f3c945-dcc8-4393-9f3d-af65077a8f86
8 | https://adsecurity.org/?p=2288
9 | https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
10 | attack.credential_access,attack.t1003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_taskmgr_localsystem.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | NT AUTHORITY\\\\SYSTEM
4 | \\\\taskmgr.exe
5 | ATT&CK T1036: Taskmgr as LOCAL_SYSTEM
6 | Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
7 | Falsepositives: Unkown.
8 | Sigma UUID: 9fff585c-c33e-4a86-b3cd-39312079a65f
9 | attack.defense_evasion,attack.t1036,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_taskmgr_parent.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\taskmgr.exe
4 | !\\resmon.exe|\\mmc.exe
5 | ATT&CK T1036: Taskmgr as Parent
6 | Detects the creation of a process from Windows task manager
7 | Falsepositives: Administrative activity.
8 | Sigma UUID: 3d7679bd-0c00-440c-97b0-3f204273e6c7
9 | attack.defense_evasion,attack.t1036,MITRE
10 |
11 |
12 |
13 | 262010
14 | \\\\resmon.exe|\\\\mmc.exe|\\\\taskmgr.exe
15 | Whitelist Interaction: Taskmgr as Parent
16 | attack.defense_evasion,attack.t1036,MITRE
17 |
18 |
19 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_tscon_localsystem.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | NT AUTHORITY\\\\SYSTEM
4 | \\\\tscon.exe
5 | ATT&CK T1219: Suspicious TSCON Start
6 | Detects a tscon.exe start as LOCAL SYSTEM
7 | Falsepositives: Unknown.
8 | Sigma UUID: 9847f263-4a81-424f-970c-875dab15b79b
9 | http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
10 | https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
11 | attack.command_and_control,attack.t1219,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_tscon_rdp_redirect.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | /dest:rdp-tcp:
4 | ATT&CK T1076: Suspicious RDP Redirect Using TSCON
5 | Detects a suspicious RDP session redirect using tscon.exe
6 | Falsepositives: Unknown.
7 | Sigma UUID: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
8 | http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
9 | https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
10 | attack.lateral_movement,attack.privilege_escalation,attack.t1076,car.2013-07-002,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_use_of_csharp_console.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\csi.exe$
4 | \\\\powershell.exe$
5 | csi.exe
6 | ATT&CK T1127: Suspicious Use of CSharp Interactive Console
7 | Detects the execution of CSharp interactive console by PowerShell
8 | Falsepositives: Possible depending on environment. Pair with other factors such as net connections, command-line args, etc..
9 | Sigma UUID: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
10 | https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
11 | attack.execution,attack.t1127,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_susp_userinit_child.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\userinit.exe
4 | !\\explorer.exe
5 | ATT&CK: Suspicious Userinit Child Process
6 | Detects a suspicious child process of userinit
7 | Falsepositives: Administrative scripts.
8 | Sigma UUID: b655a06a-31c0-477a-95c2-3726b83d649d
9 | https://twitter.com/SBousseaden/status/1139811587760562176
10 | MITRE
11 |
12 |
13 |
14 | 262040
15 | \\\\netlogon\\\\
16 | Whitelist Interaction: Suspicious Userinit Child Process
17 | MITRE
18 |
19 |
20 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_sysmon_driver_unload.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\fltmc.exe$
4 | unload
5 | sys
6 | ATT&CK: Sysmon Driver Unload
7 | Detect possible Sysmon driver unload
8 | Falsepositives: Unknown.
9 | Sigma UUID: 4d7cda18-1b12-4e52-b45c-d28653210df8
10 | https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
11 | MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_tap_installer_execution.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\tapinstall.exe$
4 | ATT&CK T1048: Tap Installer Execution
5 | Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
6 | Falsepositives: Legitimate OpenVPN TAP insntallation.
7 | Sigma UUID: 99793437-3e16-439b-be0f-078782cf953d
8 | attack.exfiltration,attack.t1048,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_termserv_proc_spawn.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\svchost.exe\.*termsvcs
4 | !\\rdpclip.exe
5 | ATT&CK: Terminal Service Process Spawn
6 | Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
7 | Falsepositives: Unknown.
8 | Sigma UUID: 1012f107-b8f1-4271-af30-5aed2de89b39
9 | https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
10 | car.2013-07-002,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_uac_cmstp.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\cmstp.exe$
4 | /s|/au
5 | ATT&CK T1191 T1088: Bypass UAC via CMSTP
6 | Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
7 | Falsepositives: Legitimate use of cmstp.exe utility by legitimate user.
8 | Sigma UUID: e66779cc-383e-4224-a3a4-267eeb585c40
9 | https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
10 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
11 | attack.defense_evasion,attack.execution,attack.t1191,attack.t1088,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_uac_fodhelper.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\fodhelper.exe$
4 | ATT&CK T1088: Bypass UAC via Fodhelper.exe
5 | Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
6 | Falsepositives: Legitimate use of fodhelper.exe utility by legitimate user.
7 | Sigma UUID: 7f741dcf-fc22-4759-87b4-9ae8376676a2
8 | https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
9 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
10 | attack.privilege_escalation,attack.t1088,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_uac_wsreset.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\wsreset.exe$
4 | !\\conhost.exe
5 | ATT&CK T1088: Bypass UAC via WSReset.exe
6 | Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
7 | Falsepositives: Unknown.
8 | Sigma UUID: d797268e-28a9-49a7-b9a8-2f5039011c5c
9 | https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
10 | attack.privilege_escalation,attack.t1088,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_vul_java_remote_debugging.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | transport=dt_socket,address=
4 | ATT&CK T1046: Java Running with Remote Debugging
5 | Detects a JAVA process running with remote debugging allowing more than just localhost to connect
6 | Falsepositives: unknown.
7 | Sigma UUID: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
8 | attack.discovery,attack.t1046,MITRE
9 |
10 |
11 |
12 | 262180
13 | address=127.0.0.1|address=localhost
14 | Whitelist Interaction Java Running with Remote Debugging
15 | attack.discovery,attack.t1046,MITRE
16 |
17 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_webshell_detection.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\apache|\\\\tomcat|\\\\w3wp.exe|\\\\php-cgi.exe|\\\\nginx.exe|\\\\httpd.exe
4 | whoami|net\s+user |ping\s+-n |systeminfo|&cd&echo|cd\s+/d
5 | ATT&CK T1100: Webshell Detection With Command Line Keywords
6 | Detects certain command line parameters often used during reconnaissance activity via web shells
7 | Falsepositives: unknown.
8 | Sigma UUID: bed2a484-9348-4143-8a8a-b801c979301c
9 | attack.privilege_escalation,attack.persistence,attack.t1100,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_webshell_spawn.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\w3wp.exe|\\\\httpd.exe|\\\\nginx.exe|\\\\php-cgi.exe|\\\\tomcat.exe
4 | \\\\cmd.exe|\\\\sh.exe|\\\\bash.exe|\\\\powershell.exe|\\\\bitsadmin.exe
5 | ATT&CK T1100: Shells Spawned by Web Servers
6 | Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
7 | Falsepositives: Particular web applications may spawn a shell process legitimately.
8 | Sigma UUID: 8202070f-edeb-4d31-a010-a26c72ac5600
9 | attack.privilege_escalation,attack.persistence,attack.t1100,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_whoami_as_system.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | NT AUTHORITY\\\\SYSTEM
4 | \\\\whoami.exe$
5 | ATT&CK T1033: Run Whoami as SYSTEM
6 | Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
7 | Falsepositives: Unknown.
8 | Sigma UUID: 80167ada-7a12-41ed-b8e9-aa47195c66a1
9 | https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10 | attack.discovery,attack.privilege_escalation,attack.t1033,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_win10_sched_task_0day.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\schtasks.exe$
4 | /change\.*/TN\.*/RU\.*/RP
5 | ATT&CK T1053: Windows 10 Scheduled Task SandboxEscaper 0-day
6 | Detects Task Scheduler .job import arbitrary DACL write\par
7 | Falsepositives: Unknown.
8 | Sigma UUID: 931b6802-d6a6-4267-9ffa-526f57f22aaf
9 | https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
10 | attack.privilege_escalation,attack.execution,attack.t1053,car.2013-08-001,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\EdgeTransport.exe
4 | ATT&CK T1084: WMI Backdoor Exchange Transport Agent
5 | Detects a WMi backdoor in Exchange Transport Agents via WMi event filters
6 | Falsepositives: Unknown.
7 | Sigma UUID: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
8 | https://twitter.com/cglyer/status/1182389676876980224
9 | https://twitter.com/cglyer/status/1182391019633029120
10 | attack.persistence,attack.t1084,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_wmi_persistence_script_event_consumer.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \.:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe
4 | \.:\\\\Windows\\\\System32\\\\svchost.exe
5 | ATT&CK T1047: WMI Persistence - Script Event Consumer
6 | Detects WMI script event consumers
7 | Falsepositives: Legitimate event consumers.
8 | Sigma UUID: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
9 | https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
10 | attack.execution,attack.persistence,attack.t1047,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_wmi_spwns_powershell.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\wmiprvse.exe
4 | \\\\powershell.exe
5 | ATT&CK T1064: WMI Spawning Windows PowerShell
6 | Detects WMI spawning PowerShell
7 | Falsepositives: AppvClient. CCM.
8 | Sigma UUID: 692f0bec-83ba-4d04-af7e-e884a96059b6
9 | https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
10 | https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
11 | attack.execution,attack.defense_evasion,attack.t1064,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_workflow_compiler.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\Microsoft.Workflow.Compiler.exe
4 | ATT&CK T1127: Microsoft Workflow Compiler
5 | Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
6 | Falsepositives: Legitimate MWC use (unlikely in modern enterprise environments).
7 | Sigma UUID: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
8 | https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
9 | attack.defense_evasion,attack.execution,attack.t1127,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/process_creation/win_wsreset_uac_bypass.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | \\\\WSreset.exe$
4 | ATT&CK T1088: Wsreset UAC Bypass
5 | Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
6 | Falsepositives: Unknown sub processes of Wsreset.exe.
7 | Sigma UUID: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
8 | https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
9 | https://www.activecyber.us/activelabs/windows-uac-bypass
10 | https://twitter.com/ReaQta/status/1222548288731217921
11 | attack.defense_evasion,attack.execution,attack.t1088,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_apt_turla_namedpipes.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^17$|^18$
4 | \\\\atctl|\\\\userpipe|\\\\iehelper|\\\\sdlrpc|\\\\comnap
5 | ATT&CK: Turla Group Named Pipes
6 | Detects a named pipe used by Turla group samples
7 | Falsepositives: Unkown.
8 | Sigma UUID: 739915e4-1e70-4778-8b8a-17db02f66db1
9 | Internal Research
10 | attack.g0010,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_cobaltstrike_process_injection.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event8
3 | 0B80$|0C7C$|0C88$
4 | ATT&CK T1055: CobaltStrike Process Injection
5 | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
6 | Falsepositives: unknown.
7 | Sigma UUID: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
8 | https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
9 | https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
10 | attack.defense_evasion,attack.t1055,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_createremotethread_loadlibrary.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event8
3 | \\\\kernel32.dll$
4 | LoadLibraryA
5 | ATT&CK T1055: CreateRemoteThread API and LoadLibrary
6 | Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
7 | Falsepositives: Unknown.
8 | Sigma UUID: 052ec6f6-1adc-41e6-907a-f1c813478bee
9 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
10 | attack.defense_evasion,attack.t1055,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^17$
4 | \\\\lsadump|\\\\cachedump|\\\\wceservicepipe
5 | ATT&CK T1003: Cred Dump-Tools Named Pipes
6 | Detects well-known credential dumping tools execution via specific named pipes
7 | Falsepositives: Legitimate Administrator using tool for password recovery.
8 | Sigma UUID: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
9 | https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10 | attack.credential_access,attack.t1003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_ghostpack_safetykatz.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_11
3 | \\\\Temp\\\\debug.bin
4 | ATT&CK T1003: Detection of SafetyKatz
5 | Detects possible SafetyKatz Behaviour
6 | Falsepositives: Unknown.
7 | Sigma UUID: e074832a-eada-4fd7-94a1-10642b130e16
8 | https://github.com/GhostPack/SafetyKatz
9 | attack.credential_access,attack.t1003,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_invoke_phantom.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_10
3 | \\\\windows\\\\system32\\\\svchost.exe
4 | 0x1f3fff
5 | unknown
6 | ATT&CK T1089: Suspect Svchost Memory Asccess
7 | Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
8 | Falsepositives: unknown.
9 | Sigma UUID: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
10 | https://github.com/hlldz/Invoke-Phant0m
11 | https://twitter.com/timbmsft/status/900724491076214784
12 | attack.t1089,attack.defense_evasion,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_lsass_memdump.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_10
3 | \.:\\\\windows\\\\system32\\\\lsass.exe
4 | 0x1fffff
5 | dbghelp.dll|dbgcore.dll
6 | ATT&CK T1003 S0002: LSASS Memory Dump
7 | Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
8 | Falsepositives: unknown.
9 | Sigma UUID: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
10 | https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
11 | attack.t1003,attack.s0002,attack.credential_access,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_11
3 | lsass
4 | dmp$
5 | ATT&CK T1003: LSASS Memory Dump File Creation
6 | LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
7 | Falsepositives: Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator.
8 | Sigma UUID: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
9 | https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10 | attack.credential_access,attack.t1003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_mal_namedpipes.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^17$|^18$
4 | \\\\isapi_http|\\\\isapi_dg|\\\\isapi_dg2|\\\\sdlrpc|\\\\ahexec|\\\\winsession|\\\\lsassw|\\\\46a676ab7f179e511e30dd2dc41bd388|\\\\9f81f59bc58452127884ce513865ed20|\\\\e710f28d59aa529d6792ca6ff0ca1b34|\\\\rpchlp_3|\\\\NamePipe_MoreWindows|\\\\pcheap_reuse|\\\\msagent_|\\\\gruntsvc
5 | ATT&CK T1055: Malicious Named Pipe
6 | Detects the creation of a named pipe used by known APT malware
7 | Falsepositives: Unkown.
8 | Sigma UUID: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
9 | Various sources
10 | attack.defense_evasion,attack.privilege_escalation,attack.t1055,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_mimikatz_trough_winrm.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_10
3 | \.:\\\\windows\\\\system32\\\\lsass.exe
4 | \.:\\\\Windows\\\\system32\\\\wsmprovhost.exe
5 | ATT&CK T1003 T1028 S0005: Mimikatz through Windows Remote Management
6 | Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
7 | Falsepositives: low.
8 | Sigma UUID: aa35a627-33fb-4d04-a165-d33b4afca3e8
9 | https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
10 | attack.credential_access,attack.execution,attack.t1003,attack.t1028,attack.s0005,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_password_dumper_lsass.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event8
3 | \.:\\\\Windows\\\\System32\\\\lsass.exe
4 | null|^$|^ $|^-$
5 | ATT&CK T1003 S0005: Password Dumper Remote Thread in LSASS
6 | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
7 | Falsepositives: unknown.
8 | Sigma UUID: f239b326-2f41-4d6b-9dfa-c846a60ef505
9 | https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
10 | attack.credential_access,attack.t1003,attack.s0005,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_possible_dns_rebinding.xml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_powershell_execution_moduleload.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | system.management.automation
4 | system.management.automation
5 | ATT&CK T1086: PowerShell Execution
6 | Detects execution of PowerShell
7 | Falsepositives: Unknown.
8 | Sigma UUID: 867613fb-fa60-4497-a017-a82df74a172c
9 | https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
10 | attack.execution,attack.t1086,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_quarkspw_filedump.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_11
3 | \\\\AppData\\\\Local\\\\Temp\\\\SAM-\.*.dmp
4 | ATT&CK T1003: QuarksPwDump Dump File
5 | Detects a dump file written by QuarksPwDump password dumper
6 | Falsepositives: Unknown.
7 | Sigma UUID: 847def9e-924d-4e90-b7c4-5f581395a2b4
8 | https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
9 | attack.credential_access,attack.t1003,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_rdp_reverse_tunnel.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event3
3 | \\\\svchost.exe
4 | true
5 | ^3389$
6 | 127.|::1
7 | ATT&CK T1076: RDP Over Reverse SSH Tunnel
8 | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
9 | Falsepositives: unknown.
10 | Sigma UUID: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
11 | https://twitter.com/SBousseaden/status/1096148422984384514
12 | attack.defense_evasion,attack.command_and_control,attack.t1076,car.2013-07-002,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_rdp_settings_hijack.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_13
3 | \\\\services\\\\TermService\\\\Parameters\\\\ServiceDll|\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser|\\\\Control\\\\Terminal Server\\\\fDenyTSConnections
4 | ATT&CK: RDP Sensitive Settings Changed
5 | Detects changes to RDP terminal service sensitive settings
6 | Falsepositives: unknown.
7 | Sigma UUID: 171b67e1-74b4-460e-8d55-b331f3e32d67
8 | https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
9 | attack.defense_evasion,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_registry_persistence_key_linking.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_12
3 | CreateKey
4 | HKU\\\\\.*_Classes\\\\CLSID\\\\\.*\\\\TreatAs
5 | ATT&CK T1122: Windows Registry Persistence COM Key Linking
6 | Detects COM object hijacking via TreatAs subkey
7 | Falsepositives: Maybe some system utilities in rare cases use linking keys for backward compability.
8 | Sigma UUID: 9b0f8a61-91b2-464f-aceb-0527e0a45020
9 | https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
10 | attack.persistence,attack.t1122,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_registry_trust_record_modification.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_12
3 | TrustRecords
4 | ATT&CK T1193: Windows Registry Trust Record Modification
5 | Alerts on trust record modification within the registry, indicating usage of macros
6 | Falsepositives: Alerts on legitimate macro usage as well, will need to filter as appropriate.
7 | Sigma UUID: 295a59c1-7b79-4b47-a930-df12c15fc9c2
8 | https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
9 | http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_regsvr32_network_activity.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^3$|^22$
4 | \\\\regsvr32.exe$
5 | ATT&CK T1117: Regsvr32 Network Activity
6 | Detects network connections and DNS queries initiated by Regsvr32.exe
7 | Falsepositives: unknown.
8 | Sigma UUID: c7e91a02-d771-4a6d-a700-42587e0b1095
9 | https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
10 | https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
11 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
12 | attack.execution,attack.defense_evasion,attack.t1117,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_remote_powershell_session_network.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event3
3 | ^5985$|^5986$
4 | !NT AUTHORITY\\NETWORK SERVICE
5 | ATT&CK T1086: Remote PowerShell Session
6 | Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account
7 | Falsepositives: Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring..
8 | Sigma UUID: c539afac-c12a-46ed-b1bd-5a5567c9f045
9 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
10 | attack.execution,attack.t1086,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_renamed_jusched.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event1
3 | Java Update Scheduler|Java\(TM\) Update Scheduler
4 | !\\jusched.exe
5 | ATT&CK T1036: Renamed jusched.exe
6 | Detects renamed jusched.exe used by cobalt group
7 | Falsepositives: penetration tests, red teaming.
8 | Sigma UUID: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
9 | https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
10 | attack.t1036,attack.execution,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_renamed_powershell.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | Windows PowerShell
4 | Microsoft Corporation
5 | !\\powershell.exe|\\powershell_ise.exe
6 | ATT&CK: Renamed PowerShell
7 | Detects the execution of a renamed PowerShell often used by attackers or malware
8 | Falsepositives: Unknown.
9 | Sigma UUID: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
10 | https://twitter.com/christophetd/status/1164506034720952320
11 | car.2013-05-009,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_renamed_procdump.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | procdump
4 | !\\procdump.exe|\\procdump64.exe
5 | ATT&CK T1036: Renamed ProcDump
6 | Detects the execution of a renamed ProcDump executable often used by attackers or malware
7 | Falsepositives: Procdump illegaly bundled with legitimate software. Weird admins who renamed binaries.
8 | Sigma UUID: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
9 | https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
10 | attack.defense_evasion,attack.t1036,MITRE
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_renamed_psexec.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | Execute processes remotely
4 | Sysinternals PsExec
5 | !\\PsExec.exe|\\PsExec64.exe
6 | ATT&CK: Renamed PsExec
7 | Detects the execution of a renamed PsExec often used by attackers or malware
8 | Falsepositives: Software that illegaly integrates PsExec in a renamed form. Administrators that have renamed PsExec and no one knows why.
9 | Sigma UUID: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
10 | https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
11 | car.2013-05-009,MITRE
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_download_run_key.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_13
3 | \\\\Downloads\\\\|\\\\Temporary Internet Files\\\\Content.Outlook\\\\|\\\\Local Settings\\\\Temporary Internet Files\\\\
4 | \\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\
5 | ATT&CK T1060: Suspicious RUN Key from Download
6 | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
7 | Falsepositives: Software installers downloaded and used by users.
8 | Sigma UUID: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
9 | https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
10 | attack.persistence,attack.t1060,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_driver_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event6
3 | \\\\Temp\\\\
4 | ATT&CK T1050: Suspicious Driver Load from Temp
5 | Detects a driver load from a temporary directory
6 | Falsepositives: there is a relevant set of false positives depending on applications in the environment.
7 | Sigma UUID: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
8 | attack.persistence,attack.t1050,MITRE
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_image_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\notepad.exe
4 | \\\\samlib.dll|\\\\WinSCard.dll
5 | ATT&CK T1073: Possible Process Hollowing Image Loading
6 | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
7 | Falsepositives: Very likely, needs more tuning.
8 | Sigma UUID: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
9 | https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
10 | attack.defense_evasion,attack.t1073,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_lsass_dll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | windows
3 | ^12$|^13$
4 | \\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt|\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt
5 | ATT&CK T1177: DLL Load via LSASS
6 | Detects a method to load DLL via LSASS process using an undocumented Registry key
7 | Falsepositives: Unknown.
8 | Sigma UUID: b3503044-60ce-4bf4-bbcb-e3db98788823
9 | https://blog.xpnsec.com/exploring-mimikatz-part-1/
10 | https://twitter.com/SBousseaden/status/1183745981189427200
11 | attack.execution,attack.t1177,MITRE
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\winword.exe|\\\\powerpnt.exe|\\\\excel.exe|\\\\outlook.exe
4 | \.:\\\\Windows\\\\assembly
5 | ATT&CK T1193: dotNET DLL Loaded Via Office Applications
6 | Detects any assembly DLL being loaded by an Office Product
7 | Falsepositives: Alerts on legitimate macro usage as well, will need to filter as appropriate.
8 | Sigma UUID: ff0f2b05-09db-4095-b96d-1b75ca24894a
9 | https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\winword.exe|\\\\powerpnt.exe|\\\\excel.exe|\\\\outlook.exe
4 | \\\\clr.dll
5 | ATT&CK T1193: CLR DLL Loaded Via Office Applications
6 | Detects CLR DLL being loaded by an Office Product
7 | Falsepositives: Alerts on legitimate macro usage as well, will need to filter as appropriate.
8 | Sigma UUID: d13c43f0-f66b-4279-8b2c-5912077c1780
9 | https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\winword.exe|\\\\powerpnt.exe|\\\\excel.exe|\\\\outlook.exe
4 | \.:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL
5 | ATT&CK T1193: GAC DLL Loaded Via Office Applications
6 | Detects any GAC DLL being loaded by an Office Product
7 | Falsepositives: Alerts on legitimate macro usage as well, will need to filter as appropriate.
8 | Sigma UUID: 90217a70-13fc-48e4-b3db-0d836c5824ac
9 | https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\winword.exe|\\\\powerpnt.exe|\\\\excel.exe|\\\\outlook.exe
4 | \\\\dsparse.dll
5 | ATT&CK T1193: Active Directory Parsing DLL Loaded Via Office Applications
6 | Detects DSParse DLL being loaded by an Office Product
7 | Falsepositives: Alerts on legitimate macro usage as well, will need to filter as appropriate.
8 | Sigma UUID: a2a3b925-7bb0-433b-b508-db9003263cc4
9 | https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\winword.exe|\\\\powerpnt.exe|\\\\excel.exe|\\\\outlook.exe
4 | \\\\kerberos.dll
5 | ATT&CK T1193: Active Directory Kerberos DLL Loaded Via Office Applications
6 | Detects Kerberos DLL being loaded by an Office Product
7 | Falsepositives: Alerts on legitimate macro usage as well, will need to filter as appropriate.
8 | Sigma UUID: 7417e29e-c2e7-4cf6-a2e8-767228c64837
9 | https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_powershell_rundll32.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event8
3 | \\\\powershell.exe
4 | \\\\rundll32.exe
5 | ATT&CK T1085 T1086: PowerShell Rundll32 Remote Thread Creation
6 | Detects PowerShell remote thread creation in Rundll32.exe
7 | Falsepositives: Unkown.
8 | Sigma UUID: 99b97608-3e21-4bfe-8217-2a127c396a0e
9 | https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
10 | attack.defense_evasion,attack.execution,attack.t1085,attack.t1086,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_prog_location_network_connection.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event3
3 | \\\\\$Recycle.bin|\\\\Users\\\\All Users\\\\|\\\\Users\\\\Default\\\\|\\\\Users\\\\Public\\\\|\\\\Users\\\\Contacts\\\\|\\\\Users\\\\Searches\\\\|\.:\\\\Perflogs\\\\|\\\\config\\\\systemprofile\\\\|\\\\Windows\\\\Fonts\\\\|\\\\Windows\\\\IME\\\\|\\\\Windows\\\\addins\\\\
4 | ATT&CK: Suspicious Program Location with Network Connections
5 | Detects programs with network connections running in suspicious files system locations
6 | Falsepositives: unknown.
7 | Sigma UUID: 7b434893-c57d-4f41-908d-6a17bf1ae98f
8 | https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
9 | MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_susp_winword_vbadll_load.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\winword.exe|\\\\powerpnt.exe|\\\\excel.exe|\\\\outlook.exe
4 | \\\\VBE7.DLL|\\\\VBEUI.DLL|\\\\VBE7INTL.DLL
5 | ATT&CK T1193: VBA DLL Loaded Via Microsoft Word
6 | Detects DLL's Loaded Via Word Containing VBA Macros
7 | Falsepositives: Alerts on legitimate macro usage as well, will need to filter as appropriate.
8 | Sigma UUID: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
9 | https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
10 | attack.initial_access,attack.t1193,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_sysinternals_eula_accepted.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_13
3 | \\\\EulaAccepted
4 | ATT&CK: Usage of Sysinternals Tools
5 | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
6 | Falsepositives: Legitimate use of SysInternals tools. Programs that use the same Registry Key.
7 | Sigma UUID: 25ffa65d-76d8-4da5-a832-3f2b0136e133
8 | https://twitter.com/Moti_B/status/1008587936735035392
9 | MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_tsclient_filewrite_startup.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_11
3 | \\\\mstsc.exe
4 | \\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\
5 | ATT&CK: Hijack Legit RDP Session to Move Laterally
6 | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
7 | Falsepositives: unknown.
8 | Sigma UUID: 52753ea4-b3a0-4365-910d-36cff487b789
9 | MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_uac_bypass_sdclt.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_13
3 | HKU\\\\\.*_Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand
4 | ATT&CK T1088: UAC Bypass via Sdclt
5 | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
6 | Falsepositives: unknown.
7 | Sigma UUID: 5b872a46-3b90-45c1-8419-f675db8053aa
8 | https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
9 | attack.defense_evasion,attack.privilege_escalation,attack.t1088,car.2019-04-001,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \\\\lsass.exe$
4 | false
5 | ATT&CK T1003: Unsigned Image Loaded Into LSASS Process
6 | Loading unsigned image (DLL, EXE) into LSASS process
7 | Falsepositives: Valid user connecting using RDP.
8 | Sigma UUID: 857c8db3-c89b-42fb-882b-f681c7cf4da2
9 | https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10 | attack.credential_access,attack.t1003,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_win_binary_github_com.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event3
3 | true
4 | .github.com|.githubusercontent.com
5 | \.:\\\\Windows\\\\
6 | ATT&CK T1105: Microsoft Binary Github Communication
7 | Detects an executable in the Windows folder accessing github.com
8 | Falsepositives: Unknown. @subTee in your network.
9 | Sigma UUID: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
10 | https://twitter.com/M_haggis/status/900741347035889665
11 | https://twitter.com/M_haggis/status/1032799638213066752
12 | attack.lateral_movement,attack.t1105,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_win_binary_susp_com.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event3
3 | true
4 | dl.dropboxusercontent.com|.pastebin.com|.githubusercontent.com
5 | \.:\\\\Windows\\\\
6 | ATT&CK T1105: Microsoft Binary Suspicious Communication Endpoint
7 | Detects an executable in the Windows folder accessing suspicious domains
8 | Falsepositives: Unknown.
9 | Sigma UUID: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
10 | https://twitter.com/M_haggis/status/900741347035889665
11 | https://twitter.com/M_haggis/status/1032799638213066752
12 | attack.lateral_movement,attack.t1105,MITRE
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_wmi_event_subscription.xml:
--------------------------------------------------------------------------------
1 |
2 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event7
3 | \.:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe
4 | wbemcons.dll
5 | ATT&CK T1084: WMI Persistence - Command Line Event Consumer
6 | Detects WMI command line event consumers
7 | Falsepositives: Unknown (data set is too small; further testing needed).
8 | Sigma UUID: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
9 | https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
10 | attack.t1084,attack.persistence,MITRE
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ossec-rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.xml:
--------------------------------------------------------------------------------
1 |
2 | sysmon_event_11
3 | \.:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe
4 | ATT&CK T1084: WMI Persistence - Script Event Consumer File Write
5 | Detects file writes of WMI script event consumer
6 | Falsepositives: Unknown (data set is too small; further testing needed).
7 | Sigma UUID: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
8 | https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
9 | attack.t1084,attack.persistence,MITRE
10 |
11 |
12 |
--------------------------------------------------------------------------------