├── 2022_BlackCat_Ransomware ├── win_susp_process_blackcat_execution.yml ├── win_susp_process_blackcat_execution_getuuid.yml ├── win_susp_process_blackcat_exfiltration.yml ├── win_susp_process_exec_in_perflogs_path.yml ├── win_susp_process_fsutil_allowing_connections.yml ├── win_susp_process_maxmpxct_reg_mod.yml ├── win_susp_reg_added_maxmpxct_sysmon.yml └── win_susp_reg_set_maxmpxct_sysmon.yml ├── 2022_ChromeLoader ├── chrome_loadextension_chromeloader.yml └── cmd_external_drive_batch_script_execution_chromeloader.yml ├── 2022_Gootloader ├── registry_key_creation_gootloader.yml └── wscript_execution_in_appdata_gootloader.yml ├── 2022_HTMLSmuggling ├── 1_win_zipfile_drop.yml ├── 2_win_susp_file_extraction.yml ├── 3_win_security_iso_mount.yml ├── 4_win_process_creation_ext_drive.yml ├── 4_win_process_creation_ext_drive_old.yml ├── TestQueries.txt └── correlation_temporal_html_smuggling.yml ├── 2022_Hive_Ransomware ├── win_bcd_registry_modification_hive.yml ├── win_susp_bcdedit_hive.yml └── win_susp_wevtutil_hive.yml ├── 2022_QakBot ├── win_qakbot_dropped_file_creation_4663.yml ├── win_qakbot_dropped_file_creation_sysmon.yml ├── win_qakbot_susp_calc_dll_load_trellix.yml ├── win_qakbot_susp_calc_process_trellix.yml ├── win_qakbot_susp_cmdline_from_injected_process.yml ├── win_qakbot_susp_process_injection_to_explorer.yml └── win_qakbot_susp_schtasks_process_trellix.yml ├── 2022_RedCanary_ThreatDetectionReport ├── bitsadmin_mal_download.yml ├── certutil_mal_download.yml ├── cmd_bypassing_security_controls.yml ├── cmd_obfuscated_commands.yml ├── cmd_powershell_base64.yml ├── cmd_susp_process_ancestry.yml ├── lsass_process_access_injection.yml ├── lsass_susp_parent_child_relationships.yml ├── notepad_internal_name_mismatch.yml ├── notepad_network_connection.yml ├── notpowershell_unusual_commandline.yml ├── powershell_base64.yml ├── powershell_disable_defender_components.yml ├── powershell_encoded_flag.yml ├── powershell_high_count_susp_chars.yml ├── powershell_modify_defender_components.yml ├── powershell_process_injection.yml ├── powershell_renamed.yml ├── powershell_susp_cmdlets.yml ├── powershell_susp_wmi_cmdlets.yml ├── process_execution_without_commandline.yml ├── rundll32_app_bypass_dllregisterserver.yml ├── rundll32_susp_export_functionality.yml ├── rundll32_susp_process_ancestry.yml ├── rundll32_without_commandline.yml ├── schtasks_create_shell.yml ├── schtasks_network_connections.yml ├── schtasks_susp_behavior.yml ├── shrpubw_execution_from_unexpected_path.yml ├── svchost_wout_normal_parameters.yml ├── wmi_recon_activity.yml ├── wmi_susp_process_lineage.yml ├── wmic_shadow_copy_deletion.yml └── wmic_susp_commands.yml ├── 2022_RenameSystemUtilities ├── file_creation_exe_extension.yml ├── file_creation_exe_in_temp_directories_4663.yml ├── proc_creation_non_exe_demo.yml └── proc_creation_susp_rcedit_execution.yml ├── 2022_Solarmarker ├── win_susp_file_ext_reg_key.yml ├── win_susp_solarmarker_file_creation.yml └── win_victim_id_file_creation.yml ├── 2022_ViceSociety_Ransomware ├── pwsh_ms_defender_tampering_vsociety.yml ├── win_encrypted_extension_file_creation_vsociety.yml ├── win_exe_deployment_from_remote_share_vsociety.yml ├── win_ntdsutil_credential_theft_vsociety.yml ├── win_susp_net_user_creation_vsociety.yml └── win_susp_reg_defender_tampering_vsociety.yml ├── 2023_DarkGate ├── file_event_win_malware_darkgate_autoit3.yml └── proc_creation_win_malware_darkgate_autoit3_from_appdata.yml ├── 2023_External_RemoteSvc_Logons └── win_security_successful_external_remote_svc_login.yml ├── 2023_Impacket ├── GetUserSPNs │ └── zeek_impacket_kerberos_rc4.yml ├── atexec │ ├── win_file_creation_impacket_atexec.yml │ ├── win_proc_creation_impacket_atexec.yml │ ├── win_registry_events_impacket_atexec.yml │ └── win_schtasks_impacket_atexec.yml ├── dcomexec │ └── zeek_dce_impacket_remote_create_instance_dcomexec.yml ├── psexec │ ├── win_file_creation_impacket_psexec.yml │ └── win_pipe_created_remcom_impacket_psexec.yml ├── secretsdump │ └── zeek_dce_impacket_rpc_secretsdump.yml └── smbclient │ └── file_event_win_impacket_exe.yml ├── 2023_OneNote_Malware ├── create_stream_hash_double_extension.yml ├── dns_query_double_extension.yml ├── file_event_double_extension.yml ├── net_connection_win_double_extension.yml ├── win_proc_creation_double_extension.yml ├── win_proc_creation_regasm_process_injection.yml └── win_proc_right_to_left_override.yml ├── 2023_RedCanary_ThreatDetectionReport ├── technique_cmd_bypassing_controls.yml ├── technique_cmd_explorer_start_exit_cmd.yml ├── technique_cmd_obfuscated_commands.yml ├── technique_cmd_schtasks_create_shell.yml ├── technique_cmd_susp_process_ancestry.yml ├── technique_cmd_svc_shell_command.yml ├── technique_ingress_tool_transfer_bitsadmin_download.yml ├── technique_ingress_tool_transfer_certutil_download.yml ├── technique_lsass_memory_lsass_access.yml ├── technique_lsass_memory_lsass_non_sytem.yml ├── technique_lsass_memory_rundll32_minidump.yml ├── technique_lsass_memory_susp_lineage.yml ├── technique_motw_bypass_iso_write_susp_folder.yml ├── technique_process_injection_powershell_injection.yml ├── technique_process_injection_process_sans_cmdline.yml ├── technique_process_injection_susp_net_conn.yml ├── technique_pwsh_base64_encoding.yml ├── technique_pwsh_encoded_command_switch.yml ├── technique_pwsh_obfuscated_commands.yml ├── technique_pwsh_susp_cmdlets.yml ├── technique_rename_sys_utils_unexpected_internal_name.yml ├── technique_rename_sys_utils_unusual_cmdlines.yml ├── technique_rundll32_app_bypass_dllregisterserver.yml ├── technique_rundll32_inject_to_lsass.yml ├── technique_rundll32_no_cmdline.yml ├── technique_rundll32_susp_lineage.yml ├── technique_setuid_setgid_binary_search.yml ├── technique_smb_win_admin_shares_file_write.yml ├── technique_smb_win_admin_shares_impacket_svc_via_registry.yml ├── technique_smb_win_admin_shares_process_execution.yml ├── technique_wmi_office_products_spawning_wmic.yml ├── technique_wmi_reconnaissance.yml ├── technique_wmi_shadow_copy_deletion.yml ├── technique_wmi_susp_commands.yml ├── technique_wmi_susp_lineage.yml ├── technique_wmi_susp_pwsh_cmdlets.yml ├── technique_wmi_unusual_module_loads.yml ├── threat_adsearch_reg_runkey_persistence_execution.yml ├── threat_adsearch_startup_folder_persistence.yml ├── threat_bloodhound_common_cmd_actions.yml ├── threat_cobalt_strike_beacon_getsystem_cmd_pattern.yml ├── threat_cobalt_strike_beacon_implant.yml ├── threat_cobalt_strike_uac_bypass_w_cliconfg.yml ├── threat_emotet_excel_regsvr32_execution.yml ├── threat_gamarue_rundll32_dll_filename.yml ├── threat_gootloader_appdata_js_execution.yml ├── threat_gootloader_cscript_msdos_shortnames.yml ├── threat_impacket_atexec_execution.yml ├── threat_impacket_smbexec_execution.yml ├── threat_impacket_wmiexec_execution.yml ├── threat_mimikatz_kirbi_file_creation.yml ├── threat_mimikatz_module_names_in_cmdline.yml ├── threat_plugx_wsc_proxy_dll_search_order_hijacking.yml ├── threat_qbot_mounted_drive_execution.yml ├── threat_qbot_rundll32_non_standard_file_proxy_execution.yml ├── threat_raspberry_robin_msiexec_execution.yml ├── threat_socgholish_homoglyph_cyrillic_lookalikes.yml ├── threat_socgholish_nltest_domain_trust_enumeration.yml ├── threat_socgholish_whoami_output_to_file.yml ├── threat_yellow_cockatoo_startup_lnk_file.yml └── threat_yellow_cockatoo_susp_dotnet_methods.yml ├── 2023_WebDAV_SearchMS ├── file_event_win_webdav_tmpfile_creation.yml ├── proc_creation_win_webdav_lnk_execution.yml └── proxy_webdav_search_ms.yml ├── 2024_Cicada3301_Ransomware ├── correlation_proc_creation_win_taskkill_cicada3301.yml ├── correlation_win_system_service_stopped_cicada3301.yml ├── file_creation_win_cicada_psexec.yml ├── proc_creation_win_cicada3301_execution.yml ├── proc_creation_win_hyperv_stopvm.yml └── proc_creation_win_iisreset_stop.yml ├── 2024_RedCanary_ThreatDetectionReport ├── technique_applescript_applet_download_as_payload.yml ├── technique_applescript_input_prompt.yml ├── technique_command_shell_bypass_security_controls.yml ├── technique_command_shell_from_explorer.yml ├── technique_command_shell_from_schtask.yml ├── technique_command_shell_from_service_ctrl_mgr.yml ├── technique_command_shell_obfuscated_commands.yml ├── technique_command_shell_suspicious_ancestry.yml ├── technique_email_forwarding_rule_suspicious_criteria.yml ├── technique_email_forwarding_rule_suspicious_folders.yml ├── technique_email_forwarding_rule_suspicious_names.yml ├── technique_ingress_tools_transfer_bitsadmin_download.yml ├── technique_ingress_tools_transfer_certreq_download.yml ├── technique_ingress_tools_transfer_certutil_download.yml ├── technique_installer_packages_non_ms_publisher_id.yml ├── technique_installer_packages_psf_powershell_execution.yml ├── technique_kernel_modules_nondepmod_modifying_modules_dep.yml ├── technique_kernel_modules_shells_modifying_files_in_lkm_directories.yml ├── technique_kernel_modules_systemd_loading_lkm_insmod.yml ├── technique_kernel_modules_systemd_loading_lkm_modprobe.yml ├── technique_obfuscation_base64_encoding.yml ├── technique_obfuscation_zipfile_spawning_javascript.yml ├── technique_os_cred_dumping_secretsdump_file_modification.yml ├── technique_powershell_base64_encoding.yml ├── technique_powershell_encoded_command.yml ├── technique_powershell_obfuscation_escape_chars.yml ├── technique_powershell_susp_cmdlets.yml ├── technique_rename_system_utils_powershell_notepad.yml ├── technique_rename_system_utils_unusual_cmdline.yml ├── technique_rundll32_dllregister_server_function.yml ├── technique_rundll32_injection_to_lsass.yml ├── technique_rundll32_no_cmdline.yml ├── technique_rundll32_suspicious_export_functionalities.yml ├── technique_rundll32_suspicious_lineage.yml ├── technique_wmi_office_product_parent.yml ├── technique_wmi_reconnaissance.yml ├── technique_wmi_shadowcopy_deletion.yml ├── technique_wmi_suspicious_commands.yml ├── technique_wmi_suspicious_powershell_cmdlets.yml ├── technique_wmi_suspicious_process_lineage.yml ├── technique_wmi_unusual_module_loads.yml ├── threat_chromeloader_nwjs_runtime_installation_paths.yml ├── threat_gamarue_rundll32_cmdline.yml ├── threat_impacket_atexec_execution.yml ├── threat_impacket_secretsdump_execution.yml ├── threat_impacket_smbexec_execution.yml ├── threat_impacket_wmiexec_execution.yml ├── threat_mimikatz_kirbi_file.yml ├── threat_mimikatz_module_names.yml ├── threat_qbot_mounted_drive_script_execution.yml ├── threat_raspberry_robin_cmdline_netconn_no_params.yml ├── threat_raspberry_robin_msiexec_download.yml ├── threat_smashjacker_appinit_dll_installation.yml ├── threat_smashjacker_web_browser_loading_extension.yml ├── threat_socgholish_nltest_domain_trust_enum.yml ├── threat_socgholish_whoami_recon_file_output.yml ├── threat_socgholish_wscript_from_browser_with_netconn.yml ├── threat_yellow_cockatoo_ps_startup_folder_persistence.yml └── threat_yellow_cockatoo_ps_susp_dotnet_methods.yml ├── LICENSE └── README.md /2022_BlackCat_Ransomware/win_susp_process_blackcat_execution.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Command Line Indicating BlackCat Execution 2 | id: df69c374-327e-4146-acff-4a961bb1b755 3 | status: experimental 4 | description: Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments.. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | author: Micah Babinski 8 | date: 2022/12/04 9 | tags: 10 | - attack.execution 11 | - attack.t1059 12 | - attack.t1204 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | CommandLine|contains: '--access-token' 19 | CommandLine|re: '^.*\s{1}[a-zA-Z0-9]{64}\s{1}.*$' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: high -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_blackcat_execution_getuuid.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Command Line Indicating BlackCat Execution with Get UUID Option 2 | id: 76fe5991-2bff-4ae2-adcf-28a95788027f 3 | status: experimental 4 | description: Detects process execution with the --access-token flag accompanied by a child process with a 'get uuid' option. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | author: Micah Babinski 8 | date: 2022/12/04 9 | tags: 10 | - attack.execution 11 | - attack.t1059 12 | - attack.t1204 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentCommandLine|contains: '--access-token' 19 | CommandLine|contains: 'get uuid' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: high -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_blackcat_exfiltration.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious BlackCat-Related Exfiltration Command 2 | id: 613624be-dabf-4562-b49b-c2fd45773556 3 | status: experimental 4 | description: Detects process execution of RClone or similar tools used by ransomware operators to exfiltrate data. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | - https://rclone.org/docs/ 8 | author: Micah Babinski 9 | date: 2022/12/04 10 | tags: 11 | - attack.exfiltration 12 | - attack.t1020 13 | - attack.t1537 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | CommandLine|contains|all: 20 | - 'copy' 21 | - '--max-age' 22 | - '--ignore-existing' 23 | - '--multi-thread-streams' 24 | - '--transfers' 25 | CommandLine|contains: 26 | - 'ftp' 27 | - 'ssh' 28 | - '-q' 29 | condition: selection 30 | falsepositives: 31 | - Legitimate use of rclone to manage files on cloud storage. 32 | level: high -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_exec_in_perflogs_path.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Process Execution in PerfLogs Directory 2 | id: 82469ee5-ccf3-4669-9be6-31830f7ef3d7 3 | status: experimental 4 | description: Detects process execution in PerfLogs folder - a folder used by Windows for log collection - and matching previously-observed naming patterns for ransomware executables. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | author: Micah Babinski 8 | date: 2022/12/04 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1564 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection1: 17 | ParentImage|contains: 'perflogs' 18 | selection2: 19 | ParentImage|re: '^.*\\[a-z]{3}\.exe' 20 | condition: all of selection* 21 | falsepositives: 22 | - Unknown 23 | level: high -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_fsutil_allowing_connections.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Fsutil Execution Allowing Remote Connections 2 | id: 27e58290-85bf-4bd4-8eab-1c493139b659 3 | status: experimental 4 | description: Detects the use of fsutil to permit additional types of symbolic links on a computer. These can be used to enable ransomware to follow shortcusts to find all files it wants to encrypt. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware 8 | author: Micah Babinski 9 | date: 2022/12/05 10 | tags: 11 | - attack.persistence 12 | - attack.t1547 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Image|endswith: '\fsutil.exe' 19 | CommandLine|contains|all: 20 | - 'behavior' 21 | - 'set' 22 | - 'SymlinkEvaluation' 23 | CommandLine|re: '^.*(R|L)2(R|L):1.*$' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: high -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_maxmpxct_reg_mod.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Registry Modification of MaxMpxCt Parameters 2 | id: 9fc5784b-50ab-4f0e-8044-5e15990d48a1 3 | status: experimental 4 | description: Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | author: Micah Babinski 8 | date: 2022/12/04 9 | tags: 10 | - attack.command_and_control 11 | - attack.defense_evasion 12 | - attack.t1105 13 | - attack.t1562 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | CommandLine|contains|all: 20 | - 'LanmanServer' 21 | - 'parameters' 22 | - 'MaxMpxCt' 23 | - '65535' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: high -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_reg_added_maxmpxct_sysmon.yml: -------------------------------------------------------------------------------- 1 | title: 'Suspicious Registry Key Added: LanmanServer Parameters' 2 | id: 9c5df39b-0fe2-450b-bc90-a1b748dca8af 3 | status: experimental 4 | description: Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | author: Micah Babinski 8 | date: 2022/12/04 9 | tags: 10 | - attack.command_and_control 11 | - attack.defense_evasion 12 | - attack.t1105 13 | - attack.t1562 14 | logsource: 15 | category: registry_add 16 | product: windows 17 | detection: 18 | selection: 19 | EventType: CreateKey 20 | TargetObject: 'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: high -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_reg_set_maxmpxct_sysmon.yml: -------------------------------------------------------------------------------- 1 | title: 'Suspicious Registry Key Set (MaxMpxCt)' 2 | id: 4bd730d9-37d6-4a87-b392-ffb9ab52bf21 3 | status: experimental 4 | description: Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 7 | author: Micah Babinski 8 | date: 2022/12/04 9 | tags: 10 | - attack.command_and_control 11 | - attack.defense_evasion 12 | - attack.t1105 13 | - attack.t1562 14 | logsource: 15 | category: registry_set 16 | product: windows 17 | detection: 18 | selection: 19 | EventType: SetValue 20 | TargetObject: 'HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxMpxCt' 21 | Details: 'DWORD (0x0000ffff)' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: high -------------------------------------------------------------------------------- /2022_ChromeLoader/chrome_loadextension_chromeloader.yml: -------------------------------------------------------------------------------- 1 | title: Chrome Spawned by Powershell with Load-Extension in Command Line 2 | id: 4007bc45-1727-405d-a7bc-4b3d441bf08f 3 | status: experimental 4 | description: Detects instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\local as a parameter. 5 | references: 6 | - https://redcanary.com/blog/chromeloader/ 7 | - https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html 8 | author: Micah Babinski 9 | date: 2022/11/07 10 | tags: 11 | - attack.persistence 12 | - attack.t1176 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage|endswith: '\powershell.exe' 19 | Image|endswith: '\chrome.exe' 20 | CommandLine|contains|all: 21 | - 'appdata\local' 22 | - 'load-extension' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2022_Gootloader/registry_key_creation_gootloader.yml: -------------------------------------------------------------------------------- 1 | title: Gootloader Stage 2 Registry Key Creation 2 | id: 10ad1627-1a0a-4323-b3da-3a9394b9535a 3 | status: experimental 4 | description: Detects potential stage 2 Gootloader registry key creation. 5 | references: 6 | - https://redcanary.com/blog/gootloader/ 7 | - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ 8 | - https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/ 9 | author: Micah Babinski 10 | date: 2022/11/07 11 | tags: 12 | - attack.execution 13 | - attack.defense_evasion 14 | - attack.t1620 15 | logsource: 16 | category: registry_add 17 | product: windows 18 | detection: 19 | selection: 20 | EventType: 'CreateKey' 21 | TargetObject|contains: 22 | - 'SOFTWARE\Microsoft\Phone\' 23 | - 'SOFTWARE\Microsoft\Personalization\' 24 | TargetObject|endswith: '0' 25 | Image|endswith: '\wscript.exe' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: high -------------------------------------------------------------------------------- /2022_Gootloader/wscript_execution_in_appdata_gootloader.yml: -------------------------------------------------------------------------------- 1 | title: Wscript.exe Executing Agreement Javascript in AppData Folder 2 | id: c9677b37-50f0-44d3-b8f8-24b5b5eed570 3 | status: experimental 4 | description: Detects potential stage 1 Gootloader javascript execution. 5 | references: 6 | - https://redcanary.com/blog/gootloader/ 7 | - https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader 8 | author: Micah Babinski 9 | date: 2022/11/07 10 | tags: 11 | - attack.execution 12 | - attack.t1059 13 | - attack.t1059.005 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\wscript.exe' 20 | CommandLine|contains|all: 21 | - '\appdata\' 22 | - 'agreement' 23 | CommandLine|endswith: '.js' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: high -------------------------------------------------------------------------------- /2022_HTMLSmuggling/2_win_susp_file_extraction.yml: -------------------------------------------------------------------------------- 1 | title: ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon) 2 | id: f853978d-343e-4879-ab56-dfe07f1f2f0b 3 | status: experimental 4 | description: Detects extraction of ISO, VHD, LNK, or IMG files from zip files. Commonly associated with QakBot and IcedID. 5 | references: 6 | - https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/#:~:text=HTML%20smuggling%20is%20a%20technique,directly%20on%20the%20victim's%20device. 7 | - https://www.malwarebytes.com/blog/news/2021/11/evasive-maneuvers-html-smuggling-explained 8 | author: Micah Babinski 9 | date: 2022/12/15 10 | tags: 11 | - attack.s0650 12 | - attack.s0483 13 | - attack.defense_evasion 14 | - attack.t1027 15 | - attack.t1027.006 16 | - attack.t1564 17 | logsource: 18 | category: file_event 19 | product: windows 20 | detection: 21 | selection: 22 | Image|endswith: 23 | - '\explorer.exe' 24 | - '\WinRAR.exe' 25 | TargetFilename|endswith: 26 | - '.iso' 27 | - '.vhd' 28 | - '.img' 29 | - '.lnk' 30 | condition: selection 31 | falsepositives: 32 | - Unknown 33 | level: medium -------------------------------------------------------------------------------- /2022_HTMLSmuggling/3_win_security_iso_mount.yml: -------------------------------------------------------------------------------- 1 | title: ISO Image Mount 2 | id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 3 | status: experimental 4 | description: Detects the mount of ISO images on an endpoint 5 | references: 6 | - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore 7 | - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages 8 | - https://twitter.com/MsftSecIntel/status/1257324139515269121 9 | author: Syed Hasan (@syedhasan009) 10 | date: 2021/05/29 11 | modified: 2022/10/05 12 | tags: 13 | - attack.initial_access 14 | - attack.t1566.001 15 | logsource: 16 | product: windows 17 | service: security 18 | definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure' 19 | detection: 20 | selection: 21 | EventID: 4663 22 | ObjectServer: 'Security' 23 | ObjectType: 'File' 24 | ObjectName|startswith: '\Device\CdRom' 25 | filter: 26 | ObjectName: '\Device\CdRom0\setup.exe' 27 | condition: selection and not filter 28 | falsepositives: 29 | - Software installation ISO files 30 | level: medium -------------------------------------------------------------------------------- /2022_HTMLSmuggling/TestQueries.txt: -------------------------------------------------------------------------------- 1 | Splunk Queries - These are the originals; I modified them slightly for testing HTML Smuggling. 2 | 3 | 1_win_zipfile_drop.yml 4 | EventID=15 Image IN ("*\\chrome.exe", "*\\brave.exe", "*\\firefox.exe", "*\\iexplore.exe", "*\\msedge.exe", "*\\MicrosoftEdgeCP.exe") Contents="*[ZoneTransfer] ZoneId=3*" TargetFilename IN ("*.zip*", "*.rar*", "*.7z*") 5 | 6 | 2_win_susp_file_extraction.yml 7 | EventID=11 Image IN ("*\\explorer.exe", "*\\WinRAR.exe") TargetFilename IN ("*.iso", "*.vhd", "*.img", "*.lnk") 8 | 9 | 3_win_security_iso_mount.yml 10 | EventID=4663 ObjectServer="Security" ObjectType="File" ObjectName="\\Device\\CdRom*" NOT ObjectName="\\Device\\CdRom0\\setup.exe" 11 | 12 | 4_win_process_creation_ext_drive.yml 13 | EventID=1 ParentImage="*\\explorer.exe" NOT CurrentDirectory="C:*" OR NOT Image="C:*" 14 | 15 | 4_win_process_creation_ext_drive_old.yml 16 | EventID=1 ParentImage="*\\explorer.exe" NOT Image="C:*" OR (Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe") NOT CurrentDirectory="C:*") 17 | -------------------------------------------------------------------------------- /2022_Hive_Ransomware/win_bcd_registry_modification_hive.yml: -------------------------------------------------------------------------------- 1 | title: Boot Configuration Database (BCD) Manipulation - Registry Modification 2 | id: 99a9fbb6-62bf-4cb7-8406-a363bc14cbf3 3 | status: experimental 4 | description: Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection) 5 | references: 6 | - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a 7 | - https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/ 8 | author: Micah Babinski 9 | date: 2022/11/22 10 | tags: 11 | - attack.impact 12 | - attack.t1490 13 | - attack.g0092 14 | logsource: 15 | category: registry_set 16 | product: windows 17 | detection: 18 | selection_1: 19 | EventType: 'SetValue' 20 | TargetObject|contains: 'elements' 21 | selection_2: 22 | TargetObject|contains: 23 | - '16000009' 24 | - '250000e0' 25 | condition: selection_1 and selection_2 26 | falsepositives: 27 | - WMI initiating BCD changes 28 | level: high -------------------------------------------------------------------------------- /2022_Hive_Ransomware/win_susp_bcdedit_hive.yml: -------------------------------------------------------------------------------- 1 | title: Use of bcdedit to Disrupt Boot Processes 2 | id: e28f76ad-bdd9-4e56-bd09-ce8b9b853b7f 3 | status: experimental 4 | description: Detects the use of bcdedit to disrupt normal boot processes. 5 | references: 6 | - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a 7 | - https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/ 8 | author: Micah Babinski 9 | date: 2022/11/22 10 | tags: 11 | - attack.impact 12 | - attack.t1490 13 | - attack.g0092 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection_exe: 19 | Image|endswith: '\bcdedit.exe' 20 | CommandLine|contains|windash: '/set' 21 | selection_ignorefailure: 22 | CommandLine|contains: 'bootstatuspolicy' 23 | CommandLine|re: 'ignore[a-zA-Z]*failures' 24 | selection_disablerecovery: 25 | CommandLine|contains|all: 26 | - 'recoveryenabled' 27 | - 'no' 28 | condition: selection_exe and (selection_ignorefailure or selection_disablerecovery) 29 | falsepositives: 30 | - Unknown 31 | level: high -------------------------------------------------------------------------------- /2022_Hive_Ransomware/win_susp_wevtutil_hive.yml: -------------------------------------------------------------------------------- 1 | title: Event Log Manipulation Using Wevtutil 2 | id: 4d71069b-dda7-4df7-b835-1f23dd212615 3 | status: experimental 4 | description: Detects the use of wevtutil to clear or otherwise manipulate Windows event logs. 5 | references: 6 | - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a 7 | author: Micah Babinski 8 | date: 2022/11/22 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1070 12 | - attack.g0092 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection_exe: 18 | Image|endswith: '\wevtutil.exe' 19 | selection_clear: 20 | CommandLine|contains: 21 | - ' cl ' 22 | - 'clear-log' 23 | selection_set: 24 | CommandLine|contains: 25 | - ' sl ' 26 | - 'set-log' 27 | selection_set_flags: 28 | CommandLine|contains|windash: 29 | - '/e:false' 30 | - '/ms:' 31 | condition: selection_exe and (selection_clear or (selection_set and selection_set_flags)) 32 | falsepositives: 33 | - Unknown 34 | level: high -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_dropped_file_creation_4663.yml: -------------------------------------------------------------------------------- 1 | title: Malicious QakBot Dropped File Creation (Event 4663) 2 | id: 7daae1fd-b462-4628-a87e-5f639351b783 3 | status: experimental 4 | description: Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022. 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html 7 | author: Micah Babinski 8 | date: 2022/11/17 9 | tags: 10 | - attack.initial_access 11 | - attack.defense_evasion 12 | - attack.t1566 13 | - attack.t1027 14 | - attack.t1553 15 | logsource: 16 | product: windows 17 | service: security 18 | detection: 19 | selection: 20 | EventID: 4663 21 | ObjectType: 'File' 22 | AccessList: '%%4417' 23 | ObjectName|endswith: 24 | - '.html' 25 | - '.zip' 26 | - '.iso' 27 | - '.lnk' 28 | ObjectName|re: '.*TXRTN_[0-9]{7}\..*' 29 | condition: selection 30 | falsepositives: 31 | - Unknown 32 | level: high -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_dropped_file_creation_sysmon.yml: -------------------------------------------------------------------------------- 1 | title: Malicious QakBot Dropped File Creation (Sysmon) 2 | id: 8e401ffe-ca9b-4bb2-87aa-8e285811d43f 3 | status: experimental 4 | description: Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022. 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html 7 | author: Micah Babinski 8 | date: 2022/11/17 9 | tags: 10 | - attack.initial_access 11 | - attack.defense_evasion 12 | - attack.t1566 13 | - attack.t1027 14 | - attack.t1553 15 | logsource: 16 | category: file_event 17 | product: windows 18 | detection: 19 | selection: 20 | TargetFilename|endswith: 21 | - '.html' 22 | - '.zip' 23 | - '.iso' 24 | - '.lnk' 25 | TargetFilename|re: '.*TXRTN_[0-9]{7}\..*' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: high -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_calc_dll_load_trellix.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Calc DLL Load 2 | id: b47b9cc3-6f9a-4a58-a669-5e5e126514b1 3 | status: experimental 4 | description: Detects Windows 7 calc.exe loading DLLs from suspicious or abnormal file paths. 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html 7 | author: Micah Babinski 8 | date: 2022/11/19 9 | tags: 10 | - attack.persistence 11 | - attack.t1574 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\calc.exe' 18 | filter: 19 | ImageLoaded|startswith: 20 | - 'C:\Windows\System32' 21 | - 'C:\Windows\SysWOW64' 22 | condition: selection and not filter 23 | falsepositives: 24 | - Unknown 25 | level: high 26 | -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_calc_process_trellix.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Calc Child Process 2 | id: 76c86421-c373-4cac-9510-66455bc5fcd5 3 | status: experimental 4 | description: Detects the suspicious child process of calc 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html 7 | author: Adithya Chandra and Sushant Kumar Arya, Trellix 8 | date: 2022/04/08 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1218 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage|endswith: '\calc.exe' 18 | Image|endswith: 19 | - '\regsvr32.exe' 20 | - '\rundll32.exe' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_cmdline_from_injected_process.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Command Arguments from Explorer or Wermgr 2 | id: ebda47a5-173e-493d-93a6-d7123076ee11 3 | status: experimental 4 | description: Detects the suspicious command line arguments from potentially-injected versions of explorer or wermgr processes. 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html 7 | author: Adithya Chandra and Sushant Kumar Arya, Trellix 8 | date: 2022/04/08 9 | tags: 10 | - attack.discovery 11 | - attack.t1082 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: 18 | - '\explorer.exe' 19 | - '\wermgr.exe' 20 | CommandLine|contains|windash: 21 | - 'whoami /all' 22 | - 'arp -a' 23 | - 'ipconfig /all' 24 | - 'net view /all' 25 | - 'cmd /c set' 26 | - 'nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs' 27 | - 'nltest /domain_trusts /all_trusts' 28 | - 'net share' 29 | - 'netstat -nao' 30 | - 'net localgroup' 31 | - 'qwinsta' 32 | condition: selection 33 | falsepositives: 34 | - Unknown 35 | level: high -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_process_injection_to_explorer.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Process Injection to Explorer 2 | id: ddef6008-8465-4ce6-b2ec-4e8ffef62a9a 3 | status: experimental 4 | description: Detects the suspicious child process of regsvr32 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html 7 | author: Adithya Chandra and Sushant Kumar Arya, Trellix 8 | date: 2022/04/08 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1218 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage|endswith: '\regsvr32.exe' 18 | Image|endswith: '\explorer.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: high -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_schtasks_process_trellix.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Schtasks Child Process 2 | id: 6470cbb3-a339-40dd-8d0e-250013b86828 3 | status: experimental 4 | description: Detects schtasks being run as a child process of explorer.exe to create a schedule task. 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html 7 | author: Micah Babinski 8 | date: 2022/11/19 9 | tags: 10 | - attack.persistence 11 | - attack.t1053 12 | - attack.t1053.005 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage|endswith: '\explorer.exe' 19 | Image|endswith: '\schtasks.exe' 20 | CommandLine|contains|windash: 21 | - '/create' 22 | - '/ru' 23 | - '/sc once' 24 | - 'powershell' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: high 29 | -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/bitsadmin_mal_download.yml: -------------------------------------------------------------------------------- 1 | title: BITSAdmin Downloading Malicious Binaries 2 | id: c7568c9e-f6c6-4cb7-a3c0-da356aef51d8 3 | status: experimental 4 | description: Detects usage of BITSAdmin to download malicious code. Inspired by the 5 | 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 8 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download 9 | author: Micah Babinski 10 | date: 2022/11/03 11 | tags: 12 | - attack.command_and_control 13 | - attack.t1105 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\bitsadmin.exe' 20 | CommandLine|contains: 21 | - 'download' 22 | - 'transfer' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/certutil_mal_download.yml: -------------------------------------------------------------------------------- 1 | title: CertUtil Downloading Malicious Binaries 2 | id: b7bfe106-4c22-4ced-82da-b12c39bef679 3 | status: experimental 4 | description: Detects usage of certutil to download malicious code. Inspired by the 5 | 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.command_and_control 12 | - attack.t1105 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Image|endswith: '\certutil.exe' 19 | CommandLine|contains|all: 20 | - 'urlcache' 21 | - 'split' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_bypassing_security_controls.yml: -------------------------------------------------------------------------------- 1 | title: Command Shell Bypassing Security Controls 2 | id: 188b256a-4344-47fb-88ed-6343b37c4999 3 | status: experimental 4 | description: Detects common ways to bypass controls using Windows Command Shell. Inspired 5 | by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.execution 12 | - attack.t1059.003 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Image|endswith: '\cmd.exe' 19 | CommandLine|contains|windash: 20 | - 'bypass' 21 | - '-exec' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_obfuscated_commands.yml: -------------------------------------------------------------------------------- 1 | title: Command Shell Obfuscated Commands 2 | id: a30afe67-bde7-450f-a143-96a1a86d26d9 3 | status: experimental 4 | description: Looks for the execution of Windows Command Shell with unusually high 5 | counts of characters used for obfuscation. Inspired by the 2022 Red Canary Threat 6 | Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 9 | author: Micah Babinski 10 | date: 2022/11/03 11 | tags: 12 | - attack.execution 13 | - attack.t1059.003 14 | - attack.defense_evasion 15 | - attack.t1027 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | condition: selection 21 | selection: 22 | Image|endswith: '\cmd.exe' 23 | # regex below looks for eight or more total instances of the suspicious characters 24 | CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$' 25 | falsepositives: 26 | - Legitimate processes with long or convoluted command lines. 27 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_powershell_base64.yml: -------------------------------------------------------------------------------- 1 | title: Base64 Encoding in CMD or Powershell 2 | id: 1b5f1187-7010-4f58-b6a3-2b762d594b90 3 | status: experimental 4 | description: Looks for the execution of cmd.exe or powershell.exe with command lines 5 | that includes the term base64. Inspired by the 2022 Red Canary Threat Detection 6 | report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/ 9 | author: Micah Babinski 10 | date: 2022/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1140 14 | - attack.execution 15 | - attack.t1059.001 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: 22 | - '\powershell.exe' 23 | - '\cmd.exe' 24 | CommandLine|contains: 'base64' 25 | condition: selection 26 | falsepositives: 27 | - Windows Config Manager (https://wtfbins.wtf/1) 28 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_susp_process_ancestry.yml: -------------------------------------------------------------------------------- 1 | title: Command Shell Unusual or Suspicious Process Ancestry 2 | id: 157c153a-97d1-43e4-bc25-5461f52c935d 3 | status: experimental 4 | description: Looks for suspicious process interactions between the Windows IIS worker 5 | process (w3wp.exe) and the command shell. Inspired by the 2022 Red Canary Threat 6 | Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 9 | author: Micah Babinski 10 | date: 2022/11/03 11 | tags: 12 | - attack.persistence 13 | - attack.t1505 14 | - attack.execution 15 | - attack.t1059.003 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection_process: 21 | Image|endswith: '\cmd.exe' 22 | ParentImage|endswith: 23 | - '\w3wp.exe' 24 | - '\wmiprvse.exe' 25 | selection_cmdline: 26 | - CommandLine|contains: 27 | - 'http://' 28 | - 'https://' 29 | - 'echo' 30 | - CommandLine|contains|all: 31 | - '/c' 32 | - 'powershell.exe' 33 | condition: selection_process and selection_cmdline 34 | falsepositives: 35 | - Unknown 36 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/lsass_process_access_injection.yml: -------------------------------------------------------------------------------- 1 | title: Abnormal LSASS Process Access and Injection 2 | id: 23fac7e9-3c44-4b76-891b-72c4d44e1964 3 | status: experimental 4 | description: Detects obviously suspicious cross-process events targetting lsass.exe. 5 | Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.credential_access 12 | - attack.t1003.001 13 | logsource: 14 | category: process_access 15 | product: windows 16 | detection: 17 | selection: 18 | SourceImage|endswith: 19 | - '\powershell.exe' 20 | - '\taskmgr.exe' 21 | - '\rundll32.exe' 22 | - '\procdump.exe' 23 | - '\procexp.exe' 24 | TargetImage|endswith: '\lsass.exe' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/lsass_susp_parent_child_relationships.yml: -------------------------------------------------------------------------------- 1 | title: Abnormal LSASS Child and Parent Process Relationships 2 | id: 67ba1ddd-4510-42d5-aa78-83bed66bd684 3 | status: experimental 4 | description: Detects potential lsass.exe abuse based on unusual and suspicious parent-child 5 | relationships. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.credential_access 12 | - attack.t1003.001 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection1: 18 | Image|endswith: 19 | - '\cmd.exe' 20 | - '\powershell.exe' 21 | - '\regsvr32.exe' 22 | - '\mstsc.exe' 23 | - '\dllhost.exe' 24 | ParentImage|endswith: \lsass.exe' 25 | selection2: 26 | Image|endswith: '\lsass.exe' 27 | ParentImage|endswith: 28 | - '\explorer.exe' 29 | - '\cmd.exe' 30 | - '\lsass.exe' 31 | condition: selection1 or selection2 32 | falsepositives: 33 | - Unknown 34 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/notepad_internal_name_mismatch.yml: -------------------------------------------------------------------------------- 1 | title: Process Executing with Unusual Command Lines 2 | id: 1b7bc524-7d66-4902-9524-0e22e5cbe667 3 | status: experimental 4 | description: Looks for the execution of non-powershell process with command lines 5 | matching common powershell format. Inspired by the 2022 Red Canary Threat Detection 6 | report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/ 9 | author: Micah Babinski 10 | date: 2022/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1036.003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | filter: 19 | Image|endswith: '\powershell.exe' 20 | selection: 21 | CommandLine|contains: 22 | - 'iex' 23 | - 'invoke-expression' 24 | condition: selection and not filter 25 | falsepositives: 26 | - Unknown 27 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/notepad_network_connection.yml: -------------------------------------------------------------------------------- 1 | title: Network Connections Where There Should Not Be (Notepad) 2 | id: 6abd63f2-a8cc-40bc-b13b-7c60fa20b265 3 | status: experimental 4 | description: Looks for network connections from notepad. Inspired by the 2022 Red 5 | Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/process-injection/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.privilege_escalation 12 | - attack.t1055 13 | logsource: 14 | category: network_connection 15 | product: windows 16 | detection: 17 | selection: 18 | Image|endswith: '\notepad.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/notpowershell_unusual_commandline.yml: -------------------------------------------------------------------------------- 1 | title: Process Executing with Unusual Command Lines 2 | id: 9c644369-a7c5-4166-a702-930efd9b5579 3 | status: experimental 4 | description: Looks for the execution of non-powershell process with command lines 5 | matching common powershell format. Inspired by the 2022 Red Canary Threat Detection 6 | report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/ 9 | author: Micah Babinski 10 | date: 2022/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1036.003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | CommandLine|contains: 20 | - 'iex' 21 | - 'invoke-expression' 22 | filter: 23 | Image|endswith: '\powershell.exe' 24 | condition: selection and not filter 25 | falsepositives: 26 | - Unknown 27 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_base64.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Base64 Encoding 2 | id: 1d3025d2-f965-42e2-8256-adaa1054613d 3 | status: experimental 4 | description: Looks for the execution of powershell.exe with command lines that includes 5 | the term base64. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1140 13 | - attack.execution 14 | - attack.t1059.001 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | CommandLine|contains: 'base64' 21 | Image|endswith: '\powershell.exe' 22 | condition: selection 23 | falsepositives: 24 | - Windows Config Manager (https://wtfbins.wtf/1) 25 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_disable_defender_components.yml: -------------------------------------------------------------------------------- 1 | title: Abusing PowerShell to Disable Defender Components 2 | id: 32cfafc8-fbdc-43e0-a2cd-11b99630d270 3 | status: experimental 4 | description: Looks for instances of powershell being used to disable or impair Windows 5 | Defender functionality. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/disable-or-modify-tools/ 8 | author: Micah Babinski 9 | date: 2022/11/04 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1562 13 | - attack.t1562.001 14 | - attack.t1562.004 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | CommandLine|contains: 'Set-MpPreference' 21 | Image|endswith: '\powershell.exe' 22 | selection2: 23 | CommandLine|contains: 24 | - 'disablerealtimemonitoring' 25 | - 'disableioavprotection' 26 | - 'disablebehaviormonitoring' 27 | - 'disableintrusionpreventionsystem' 28 | - 'exclusionprocess' 29 | - 'disablescriptscanning' 30 | condition: selection and selection2 31 | falsepositives: 32 | - Unknown 33 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_encoded_flag.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell -encodedcommand Switch 2 | id: 5c0fcaac-e5e9-44a3-811f-b43b7709c339 3 | status: experimental 4 | description: Looks for the execution of powershell.exe with command lines that include 5 | variations of the -encodedcommand argument. Inspired by the 2022 Red Canary Threat 6 | Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 9 | author: Micah Babinski 10 | date: 2022/11/04 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1140 14 | - attack.execution 15 | - attack.t1059.001 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | CommandLine|contains|windash: 22 | - '-ec' 23 | - '-en' 24 | - '-enc' 25 | - '-enco' 26 | Image|endswith: '\powershell.exe' 27 | condition: selection 28 | falsepositives: 29 | - Windows Config Manager (https://wtfbins.wtf/1) 30 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_high_count_susp_chars.yml: -------------------------------------------------------------------------------- 1 | title: Powershell Obfuscation and Escape Characters 2 | id: bb1e6157-bc60-41fc-a395-513ed538fabe 3 | status: experimental 4 | description: Looks for the execution of PowerShell with unusually high counts of characters 5 | like ^, +, $, and %. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.execution 12 | - attack.t1059.003 13 | - attack.defense_evasion 14 | - attack.t1027 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Image|endswith: '\powershell.exe' 21 | # regex below detects five or more occurrences of the suspicious characters 22 | CommandLine|re: '^([^^+$%]*[\^+$%]){5,}[^^+$%]*$' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_modify_defender_components.yml: -------------------------------------------------------------------------------- 1 | title: Abusing PowerShell to Modify Defender Components 2 | id: bb193057-4917-427f-887c-1d2615394935 3 | status: experimental 4 | description: Looks for instances of powershell being used to modify or degrade Windows 5 | Defender functionality. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/disable-or-modify-tools/ 8 | author: Micah Babinski 9 | date: 2022/11/04 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1562 13 | - attack.t1562.001 14 | - attack.t1562.004 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Image|endswith: '\powershell.exe' 21 | CommandLine|contains: 'Add-MpPreference' 22 | selection2: 23 | CommandLine|contains: 24 | - 'dll' 25 | - 'vbs' 26 | - 'zip' 27 | - '.bat' 28 | - 'iso' 29 | condition: selection and selection2 30 | falsepositives: 31 | - Unknown 32 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_process_injection.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Injecting into Other Process 2 | id: 95d5a93d-b755-4443-87d2-48125a4172ac 3 | status: experimental 4 | description: Looks for process access activity where PowerShell is accessing any other 5 | processes. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/process-injection/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.privilege_escalation 12 | - attack.t1055 13 | logsource: 14 | category: process_access 15 | product: windows 16 | detection: 17 | selection: 18 | SourceImage|endswith: '\powershell.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_renamed.yml: -------------------------------------------------------------------------------- 1 | title: Unexpected Internal Process Name 2 | id: a01d910a-d31d-4d1f-98ce-3dedd301a605 3 | status: experimental 4 | description: Looks for the execution of powershell renamed as Notepad.exe. Inspired 5 | by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1036 13 | - attack.t1036.003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Description|startswith: 20 | - 'Windows Powershell' 21 | - 'pwsh' 22 | Image|endswith: '\notepad.exe' 23 | OriginalFileName: 'powershell.exe' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_susp_cmdlets.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Powershell Cmdlets 2 | id: b3dfac86-1056-4b6b-9c67-db4a10a9e812 3 | status: experimental 4 | description: Looks for look for cmdlets, methods, and switches that may indicate malicious 5 | activity. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.execution 12 | - attack.t1059 13 | - attack.t1059.001 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\powershell.exe' 20 | CommandLine|contains|windash: 21 | - '-nop' 22 | - '-noni' 23 | - 'invoke-expression' 24 | - 'iex' 25 | - 'downloadstring' 26 | - 'downloadfile' 27 | - 'downloadata' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_susp_wmi_cmdlets.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious WMI-Related Powershell Cmdlets 2 | id: c920d5b8-0e50-40ef-8f1a-5eb27399f455 3 | status: experimental 4 | description: Detects potential adversaries using powershell WMI-related cmdlets to 5 | query the operating system or execute commands, either locally or remotely. Inspired 6 | by the 2022 Red Canary Threat Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 9 | author: Micah Babinski 10 | date: 2022/11/03 11 | tags: 12 | - attack.execution 13 | - attack.t1059 14 | - attack.t1059.001 15 | - attack.t1047 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\powershell.exe' 22 | CommandLine|contains: 23 | - 'invoke-wmimethod' 24 | - 'invoke-cimmethod' 25 | - 'get-wmiobject' 26 | - 'getciminstance' 27 | - 'wmiclass' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/process_execution_without_commandline.yml: -------------------------------------------------------------------------------- 1 | title: Process Execution sans Command Lines 2 | id: e0a2f82f-d11d-4ea7-af7e-a8f760b07c04 3 | status: experimental 4 | description: Looks for process execution with no command line arguments, which may 5 | indicate process injection. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/process-injection/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.privilege_escalation 12 | - attack.t1055 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '\backgroundtaskhost.exe' 20 | - '\svchost.exe' 21 | - '\dllhost.exe' 22 | - '\werfault.exe' 23 | - '\searchprotocolhost.exe' 24 | - '\wuauclt.exe' 25 | - '\spoolsv.exe' 26 | - '\rundll32.exe' 27 | - '\regasm.exe' 28 | - '\regsvr32.exe' 29 | - '\regsvcs.exe' 30 | # looks for command line values ending with exe or exe" and no other characters following 31 | CommandLine|re: '^.*\.exe(\s|")*$' 32 | condition: selection 33 | falsepositives: 34 | - Unknown 35 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_app_bypass_dllregisterserver.yml: -------------------------------------------------------------------------------- 1 | title: Application Bypass with RunDLL32 and DllRegisterServer Function 2 | id: 361f2190-4857-4505-aaf9-588013b390f1 3 | status: experimental 4 | description: DLLs that are designed to be loaded by Regsvr32 are expected to have 5 | a DllRegisterServer export function implemented. This detects use of the same DLL 6 | to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 9 | author: Micah Babinski 10 | date: 2022/11/03 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1218 14 | - attack.t1218.011 15 | - attack.s0650 16 | - attack.s0386 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | Image|endswith: '\rundll32.exe' 23 | CommandLine|contains: 'DllRegisterServer' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_susp_export_functionality.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 with Suspicious Export Functionalities 2 | id: e7cff8e3-89ae-47bd-841f-833e0a647f72 3 | status: experimental 4 | description: Detects instances of rundll32.exe running Windows native DLLs that have 5 | export functionalities that adversaries commonly leverage for executing malicious 6 | code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection 7 | report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 10 | author: Micah Babinski 11 | date: 2022/11/03 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1218 15 | - attack.t1218.011 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\rundll32.exe' 22 | CommandLine|contains: 23 | - 'minidump' 24 | - 'startw' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_susp_process_ancestry.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 with Suspicious Process Lineage 2 | id: a01588a5-b68d-4d55-ab49-76d25c557ed4 3 | status: experimental 4 | description: Detects executions of rundll32.exe from unusual or suspicious parent 5 | processes. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1218 13 | - attack.t1218.011 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\rundll32.exe' 20 | ParentImage|endswith: 21 | - '\winword.exe' 22 | - '\excel.exe' 23 | - '\msaccess.exe' 24 | - '\lsass.exe' 25 | - '\taskeng.exe' 26 | - '\winlogon.exe' 27 | - '\schtasks.exe' 28 | - '\regsvr32.exe' 29 | - '\wmiprvse.exe' 30 | - '\wsmprovhost.exe' 31 | condition: selection 32 | falsepositives: 33 | - Unknown 34 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_without_commandline.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 without Command Line 2 | id: 48bd57e9-1b2b-4be9-a2aa-5fccbe86b136 3 | status: experimental 4 | description: Detects instances of rundll32.exe with no command line that spawns a 5 | child process. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1218 13 | - attack.t1218.011 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | ParentCommandLine: 20 | - 'rundll32.exe' 21 | - 'rundll32' 22 | - null 23 | ParentImage|endswith: '\rundll32.exe' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/schtasks_create_shell.yml: -------------------------------------------------------------------------------- 1 | title: Windows Scheduled Task Create Shell 2 | id: eb9d10be-1ece-4241-bc76-d51eadcaf42b 3 | status: experimental 4 | description: Detects creation of scheduled tasks which may establish persistence using 5 | the command shell. Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.persistence 12 | - attack.execution 13 | - attack.t1053 14 | - attack.t1053.005 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Image|endswith: '\schtasks.exe' 21 | CommandLine|contains: 'create' 22 | CommandLine|contains|all|windash: 23 | - '/c' 24 | - 'cmd' 25 | condition: selection 26 | falsepositives: 27 | - Creation of legitimate scheduled tasks which need to run cmd. 28 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/schtasks_network_connections.yml: -------------------------------------------------------------------------------- 1 | title: Windows Scheduled Task Making Suspicious Network Connection 2 | id: 4a224230-746d-436b-b569-59f2d6809d6b 3 | status: experimental 4 | description: Detects scheduled tasks created to reach out to external domains and 5 | download arbitrary binaries on a set or recurring schedule. Inspired by the 2022 6 | Red Canary Threat Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/scheduled-task/ 9 | author: Micah Babinski 10 | date: 2022/11/04 11 | tags: 12 | - attack.persistence 13 | - attack.execution 14 | - attack.t1053 15 | - attack.t1053.005 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\schtasks.exe' 22 | CommandLine|contains|windash: '/create' 23 | CommandLine|contains: 24 | - 'https://' 25 | - 'http://' 26 | - 'ftp://' 27 | condition: selection 28 | falsepositives: 29 | - Creation of legitimate scheduled tasks which need to access external sites. 30 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/schtasks_susp_behavior.yml: -------------------------------------------------------------------------------- 1 | title: Windows Scheduled Task Behaving Improperly or Suspiciously 2 | id: ccb39be9-ba55-4553-9614-a94e98e58626 3 | status: experimental 4 | description: Detects scheduled tasks created with the /create flag and a reference 5 | to commonly-abused Windows utilities. Inspired by the 2022 Red Canary Threat Detection 6 | report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/scheduled-task/ 9 | author: Micah Babinski 10 | date: 2022/11/04 11 | tags: 12 | - attack.persistence 13 | - attack.execution 14 | - attack.t1053 15 | - attack.t1053.005 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\schtasks.exe' 22 | CommandLine|contains: 23 | - 'cmd.exe' 24 | - 'powershell.exe' 25 | - 'regsvr32.exe' 26 | - 'rundll32.exe' 27 | - 'mshta.exe' 28 | CommandLine|contains|windash: '/create' 29 | condition: selection 30 | falsepositives: 31 | - Creation of legitimate scheduled tasks which need to run cmd or similar utilities. 32 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/shrpubw_execution_from_unexpected_path.yml: -------------------------------------------------------------------------------- 1 | title: Shrpubw Execution from Unexpected File Path 2 | id: 3b9fc5ea-6288-4c03-882a-af00df4f5b32 3 | status: experimental 4 | description: Looks for the execution of svchost without the normal -k parameter. Inspired 5 | by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/dll-search-order-hijacking/ 8 | author: Micah Babinski 9 | date: 2022/11/04 10 | tags: 11 | - attack.persistence 12 | - attack.t1574 13 | - attack.t1574.001 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\shrpubw.exe' 20 | filter: 21 | Image|contains: 22 | - 'windows\system32\shrpubw.exe' 23 | - 'windows\winsxs' 24 | condition: selection and not filter 25 | falsepositives: 26 | - Unknown 27 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/svchost_wout_normal_parameters.yml: -------------------------------------------------------------------------------- 1 | title: Svchost Not Matching Normal Execution Parameters 2 | id: 036c727d-0263-4733-ad60-d5f48dc72144 3 | status: experimental 4 | description: Looks for the execution of svchost without the normal -k parameter. Inspired 5 | by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/match-legitimate-name-or-location/ 8 | author: Micah Babinski 9 | date: 2022/11/04 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1036 13 | - attack.t1036.005 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\svchost.exe' 20 | filter: 21 | CommandLine|contains: '-k' 22 | condition: selection and not filter 23 | falsepositives: 24 | - Unknown 25 | level: high -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmi_recon_activity.yml: -------------------------------------------------------------------------------- 1 | title: WMIC Suspicious Commands 2 | id: 21a5815b-5db5-4e13-99e4-052ae6bbcdc1 3 | status: experimental 4 | description: Detects adversaries leveraging WMI to gather domain information such 5 | as users, groups, AV product in use, or computers in the domain. Inspired by the 6 | 2022 Red Canary Threat Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 9 | author: Micah Babinski 10 | date: 2022/11/03 11 | tags: 12 | - attack.execution 13 | - attack.t1047 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\wmic.exe' 20 | CommandLine|contains: 21 | - '\ldap' 22 | - 'ntdomain' 23 | - 'antivirusproduct' 24 | - 'useraccount get' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmi_susp_process_lineage.yml: -------------------------------------------------------------------------------- 1 | title: WMIC Suspicious Commands 2 | id: 9c3367de-94fd-4a46-bc9f-d2943bd32025 3 | status: experimental 4 | description: Detects suspicious parent-child relationships with the wmiprvse command. 5 | Inspired by the 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.execution 12 | - attack.t1047 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage|endswith: '\wmiprvse.exe' 19 | Image|endswith: 20 | - '\rundll32.exe' 21 | - '\msbuild.exe' 22 | - '\powershell.exe' 23 | - '\cmd.exe' 24 | - '\mshta.exe' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmic_shadow_copy_deletion.yml: -------------------------------------------------------------------------------- 1 | title: WMIC Shadow Copy Deletion 2 | id: 68483dc1-6bce-44ba-821b-59f3a0ba3bd8 3 | status: experimental 4 | description: Detects adversaries using WMI to delete shadow copies. Inspired by the 5 | 2022 Red Canary Threat Detection report. 6 | references: 7 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 8 | author: Micah Babinski 9 | date: 2022/11/03 10 | tags: 11 | - attack.impact 12 | - attack.t1490 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Image|endswith: '\wmic.exe' 19 | CommandLine|contains|all: 20 | - 'shadowcopy' 21 | - 'delete' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: medium -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmic_susp_commands.yml: -------------------------------------------------------------------------------- 1 | title: WMIC Suspicious Commands 2 | id: b772987f-ca62-4c24-ab78-a93ebb561d96 3 | status: experimental 4 | description: Detects spawning of unique and unsigned binaries or commands remotely 5 | using the well known process call create command. Inspired by the 2022 Red Canary 6 | Threat Detection report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 9 | author: Micah Babinski 10 | date: 2022/11/03 11 | tags: 12 | - attack.execution 13 | - attack.t1047 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\wmic.exe' 20 | CommandLine|contains: 21 | - 'create' 22 | - 'node:' 23 | - 'process' 24 | - 'call' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: medium -------------------------------------------------------------------------------- /2022_RenameSystemUtilities/file_creation_exe_extension.yml: -------------------------------------------------------------------------------- 1 | title: Command or Scripting Interpreter Creating EXE File 2 | id: 47d68f87-d0f0-4386-8362-d62b7135a494 3 | status: experimental 4 | description: Detects the suspicious child use of shell or scripting interpreter to create a file ending in exe. 5 | references: 6 | - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe 7 | - https://github.com/electron/rcedit 8 | author: Micah Babinski 9 | date: 2022/12/11 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1036.003 13 | - attack.t1036 14 | logsource: 15 | category: file_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: 20 | - '\cmd.exe' 21 | - '\powershell.exe' 22 | - '\powershell_ise.exe' 23 | - '\wscript.exe' 24 | - '\python.exe' 25 | - '\pythonw.exe' 26 | TargetFilename|endswith: '.exe' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /2022_RenameSystemUtilities/file_creation_exe_in_temp_directories_4663.yml: -------------------------------------------------------------------------------- 1 | title: File Creation of Executables in Temp Folders (Event 4663) 2 | id: 069aacee-0176-4bdd-8c8b-09e958b88b70 3 | status: experimental 4 | description: Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process 7 | author: Micah Babinski 8 | date: 2022/12/11 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036.003 12 | - attack.t1036 13 | logsource: 14 | product: windows 15 | service: security 16 | detection: 17 | selection: 18 | EventID: 4663 19 | ObjectType: 'File' 20 | AccessList: '%%4417' 21 | ObjectName|endswith: '.exe' 22 | ObjectName|contains: 23 | - 'temp' 24 | - 'tmp' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: high -------------------------------------------------------------------------------- /2022_RenameSystemUtilities/proc_creation_non_exe_demo.yml: -------------------------------------------------------------------------------- 1 | title: Process Creation without .exe File Extension 2 | id: 02dc3892-2fd0-4dd5-b2d7-62052a837abe 3 | status: experimental 4 | description: Detects process creations where the Image does not have a .exe file extension. 5 | references: 6 | - https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf 7 | author: Micah Babinski 8 | date: 2022/12/11 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036.003 12 | - attack.t1036 13 | - attack.s1020 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '.exe' 20 | condition: not selection 21 | falsepositives: 22 | - Unknown 23 | level: high -------------------------------------------------------------------------------- /2022_Solarmarker/win_susp_file_ext_reg_key.yml: -------------------------------------------------------------------------------- 1 | title: Solarmarker File Extension Registry Key Set 2 | id: 57c4dca5-51cd-4cff-b835-d7eebe8e92f6 3 | related: 4 | - id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc 5 | type: similar 6 | status: experimental 7 | description: Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified. 8 | references: 9 | - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/ 10 | - https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker 11 | - https://www.elastic.co/security-labs/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant 12 | author: Micah Babinski 13 | date: 2022/11/09 14 | tags: 15 | - attack.defense_evasion 16 | - attack.t1202 17 | logsource: 18 | category: registry_set 19 | product: windows 20 | detection: 21 | selection: 22 | Image|endswith: '\powershell.exe' 23 | EventType: 'SetValue' 24 | TargetObject|re: '^.*\\.([a-zA-Z]){13,18}$' 25 | Detail|re: '^.*([a-z]){18,22}$' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: high -------------------------------------------------------------------------------- /2022_Solarmarker/win_victim_id_file_creation.yml: -------------------------------------------------------------------------------- 1 | title: Solarmarker Unique Victim ID File Creation 2 | id: c7e8e46c-10f2-45e6-936d-8651522223d1 3 | status: experimental 4 | description: Detects creation of anomalous text file used to generate victim ID by Solarmarker malware. 5 | references: 6 | - https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/ 7 | - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/ 8 | author: Micah Babinski 9 | date: 2022/11/08 10 | tags: 11 | - attack.command_and_control 12 | - attack.t1132 13 | logsource: 14 | category: file_event 15 | product: windows 16 | detection: 17 | selection_1: 18 | TargetFilename|contains: '\AppData\Roaming\' 19 | TargetFilename|re: '^.{120,}$' 20 | TargetFilename|endswith: '=' 21 | selection_2: 22 | TargetFilename|endswith: '\AppData\Roaming\solarmarker.dat' 23 | condition: any of selection* 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_encrypted_extension_file_creation_vsociety.yml: -------------------------------------------------------------------------------- 1 | title: Vice Society Encrypted File Extension File Creation 2 | id: ba85a1ba-a194-4f03-9064-0c53da092698 3 | status: experimental 4 | description: Detects creation of potentially-encrypted files by Vice Society ransomeware. As this is based only on file extensions, the analyst should investigate surrounding activity to validate that this is not part of a benign applicatoin. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ 7 | - https://www.cisa.gov/uscert/ncas/alerts/aa22-249a 8 | author: Micah Babinski 9 | date: 2022/11/26 10 | tags: 11 | - attack.impact 12 | - attack.t1486 13 | logsource: 14 | category: file_event 15 | product: windows 16 | detection: 17 | selection: 18 | TargetFilename|endswith: 19 | - '.locked' 20 | - '.vs0ciety' 21 | - '.v-society' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: high -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_exe_deployment_from_remote_share_vsociety.yml: -------------------------------------------------------------------------------- 1 | title: Executable Deployment from Remote Share 2 | id: 85f915d8-7cbc-4bd5-b1cc-03c7f3188c19 3 | status: experimental 4 | description: Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ 7 | author: Micah Babinski 8 | date: 2022/11/26 9 | tags: 10 | - attack.lateral_movement 11 | - attack.command_and_control 12 | - attack.t1105 13 | - attack.t1021 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\cmd.exe' 20 | CommandLine|contains|windash: '/c' 21 | CommandLine|contains|all: 22 | - 'copy' 23 | - 'exe' 24 | - 'c$' 25 | - '\\\\' 26 | CommandLine|contains: 27 | - 'temp' 28 | - 'tmp' 29 | CommandLine|re: '.*(?:[0-9]{1,3}\.){3}[0-9]{1,3}.*' 30 | condition: selection 31 | falsepositives: 32 | - Unknown 33 | level: high -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_ntdsutil_credential_theft_vsociety.yml: -------------------------------------------------------------------------------- 1 | title: NTDSutil Pulling of NTDS.dit File 2 | id: e6be4f3d-9ef7-49ff-a18e-633ae489b3e4 3 | status: experimental 4 | description: Detects use of the ntdsutil utility to pull ntds.dit (Active Directory database). 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ 7 | - https://adsecurity.org/?p=2398#CreateIFM 8 | author: Micah Babinski 9 | date: 2022/11/27 10 | tags: 11 | - attack.credential_access 12 | - attack.t1003 13 | - attack.t1003.003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\ntdsutil.exe' 20 | CommandLine|contains: 21 | - 'create' 22 | - 'full' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_susp_net_user_creation_vsociety.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious 'Admin' Local User Creation with Net Command 2 | id: 0ce1911b-5038-4ee7-8925-013d808c6c7f 3 | status: experimental 4 | description: Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention. 5 | references: 6 | - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ 7 | author: Micah Babinski 8 | date: 2022/11/28 9 | tags: 10 | - attack.persistence 11 | - attack.privilege_escalation 12 | - attack.t1136.001 13 | - attack.t1136 14 | - attack.t1078 15 | - attack.t1078.003 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\net.exe' 22 | CommandLine|contains: 23 | - 'user' 24 | - 'add' 25 | - 'adm' 26 | condition: selection 27 | falsepositives: 28 | - Valid creation of local user accounts with adm in the name (should be rare) 29 | level: high -------------------------------------------------------------------------------- /2023_Impacket/GetUserSPNs/zeek_impacket_kerberos_rc4.yml: -------------------------------------------------------------------------------- 1 | title: Possible Impacket GetUserSPNs Activity 2 | id: 73822599-97d8-411f-8ee1-e57ecac118c7 3 | status: experimental 4 | description: Detects attempts to create vulnerable Kerberos Ticket Granting Service (TGS) tickets using the RC4-HMAC encryption type. 5 | references: 6 | - https://www.blackhillsinfosec.com/impacket-defense-basics-with-an-azure-lab/ 7 | - https://github.com/fortra/impacket/blob/impacket_0_10_0/examples/GetUserSPNs.py 8 | author: Micah Babinski 9 | date: 2023/04/13 10 | tags: 11 | - attack.s0357 12 | - attack.credential_access 13 | - attack.t1558 14 | - attack.t1558.003 15 | logsource: 16 | product: zeek 17 | service: kerberos 18 | detection: 19 | selection: 20 | cipher: 'rc4-hmac' 21 | request_type: 'TGS' 22 | success: true 23 | condition: selection 24 | fields: 25 | - id.orig_h 26 | - client 27 | - service 28 | falsepositives: 29 | - Unknown 30 | level: low -------------------------------------------------------------------------------- /2023_Impacket/atexec/win_file_creation_impacket_atexec.yml: -------------------------------------------------------------------------------- 1 | title: Impacket AtExec Suspicious Temp File Creation 2 | id: 22514cf3-83dd-4949-931e-69a6d6abe154 3 | status: experimental 4 | description: Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory. 5 | references: 6 | - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf 7 | - https://www.hackingarticles.in/impacket-guide-smb-msrpc/ 8 | - https://u0041.co/blog/post/1 9 | author: Micah Babinski 10 | date: 2023/01/08 11 | tags: 12 | - attack.s0357 13 | - attack.execution 14 | - attack.t1053 15 | - attack.t1053.002 16 | logsource: 17 | product: windows 18 | category: file_event 19 | detection: 20 | selection: 21 | Image|endswith: '\cmd.exe' 22 | TargetFilename|re: '^C:\\Windows\\Temp\\[A-Za-z]{8}\.tmp$' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_Impacket/atexec/win_proc_creation_impacket_atexec.yml: -------------------------------------------------------------------------------- 1 | title: Impacket AtExec Process Activity 2 | id: ceccdcd7-ab57-407c-bd8f-78b2427eb283 3 | status: experimental 4 | description: Detect Atexec.py (Impacket) usage to send command output to attacker. 5 | references: 6 | - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf 7 | - https://www.hackingarticles.in/impacket-guide-smb-msrpc/ 8 | author: Micah Babinski 9 | date: 2023/01/08 10 | tags: 11 | - attack.s0357 12 | - attack.execution 13 | - attack.t1053 14 | - attack.t1053.002 15 | logsource: 16 | product: windows 17 | service: security 18 | detection: 19 | selection: 20 | EventID: 4688 21 | NewProcessName|endswith: '\cmd.exe' 22 | CommandLine|contains|all|windash: 23 | - 'cmd.exe' 24 | - '/c' 25 | - 2>&1 26 | CommandLine|re: '^.*Temp\\[A-Za-z]{8}\.tmp.*$' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /2023_Impacket/atexec/win_registry_events_impacket_atexec.yml: -------------------------------------------------------------------------------- 1 | title: Impacket AtExec Suspicious Registry Modification 2 | id: be577827-db17-4786-b00a-347c93973662 3 | status: experimental 4 | description: Detects Atexec.py (Impacket) suspicious registry key addition. 5 | references: 6 | - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf 7 | - https://www.hackingarticles.in/impacket-guide-smb-msrpc/ 8 | - https://u0041.co/blog/post/1 9 | author: Micah Babinski 10 | date: 2023/01/08 11 | tags: 12 | - attack.s0357 13 | - attack.execution 14 | - attack.t1053 15 | - attack.t1053.002 16 | logsource: 17 | product: windows 18 | category: registry_add 19 | detection: 20 | selection: 21 | EventType: 'CreateKey' 22 | Image|endswith: '\svchost.exe' 23 | TargetObject|re: '^HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\[A-Za-z]{8}$' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: medium -------------------------------------------------------------------------------- /2023_Impacket/dcomexec/zeek_dce_impacket_remote_create_instance_dcomexec.yml: -------------------------------------------------------------------------------- 1 | title: Possible Impacket DCOMExec Connection Attempt - Zeek 2 | id: f6127748-4656-435f-b07c-c624f8f18812 3 | status: experimental 4 | description: Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options. 5 | references: 6 | - https://github.com/fortra/impacket/blob/master/impacket/dcerpc/v5/dcomrt.py 7 | - https://tools.thehacker.recipes/impacket 8 | - https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/ 9 | - https://wadcoms.github.io/wadcoms/Impacket-DCOMExec/ 10 | author: Micah Babinski 11 | date: 2023/01/08 12 | tags: 13 | - attack.s0357 14 | - attack.execution 15 | - attack.lateral_movement 16 | - attack.t1021 17 | - attack.t1021.003 18 | logsource: 19 | product: zeek 20 | service: dce_rpc 21 | detection: 22 | selection: 23 | operation: RemoteCreateInstance 24 | endpoint: IRemoteSCMActivator 25 | id.resp_p: 135 26 | named_pipe: 135 27 | condition: selection 28 | fields: 29 | - id.orig_h 30 | falsepositives: 31 | - Unknown 32 | level: low -------------------------------------------------------------------------------- /2023_Impacket/psexec/win_file_creation_impacket_psexec.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Impacket PSExec Temp Executable File Creation 2 | id: b0ceadcb-ebc8-455e-9541-19d90ad4502c 3 | status: experimental 4 | description: Detects PSExec.py (Impacket) suspicious .exe file creation in Windows directory. 5 | references: 6 | - https://github.com/fortra/impacket/blob/impacket_0_9_24/examples/psexec.py 7 | - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf 8 | author: Micah Babinski 9 | date: 2023/01/08 10 | tags: 11 | - attack.s0357 12 | - attack.execution 13 | - attack.t1569 14 | - attack.t1569.002 15 | logsource: 16 | product: windows 17 | category: file_event 18 | detection: 19 | selection: 20 | Image|endswith: 'system' 21 | TargetFilename|re: '^C:\\Windows\\[A-Za-z]{8}\.exe$' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: medium -------------------------------------------------------------------------------- /2023_Impacket/secretsdump/zeek_dce_impacket_rpc_secretsdump.yml: -------------------------------------------------------------------------------- 1 | title: Possible Impacket Secretsdump.py Activity 2 | id: 8d1476b7-0f57-43a4-b56b-50bfab66943d 3 | status: experimental 4 | description: Detects attempts to retrieve/dump credentials using the DL_DRSGetNCChanges() method. 5 | references: 6 | - https://www.extrahop.com/company/blog/2021/dcsync-definition-and-protection/ 7 | - https://www.secureauth.com/labs/open-source-tools/impacket/ 8 | - https://wiki.samba.org/index.php/DRSUAPI 9 | - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/9b4bfb44-6656-4404-bcc8-dc88111658b3 10 | author: Micah Babinski 11 | date: 2023/04/13 12 | tags: 13 | - attack.s0357 14 | - attack.credential_access 15 | - attack.t1003 16 | - attack.t1003.003 17 | - attack.t1003.006 18 | logsource: 19 | product: zeek 20 | service: dce_rpc 21 | detection: 22 | selection: 23 | operation: DRSGetNCChanges 24 | endpoint: drsuapi 25 | id.resp_p: 49666 26 | named_pipe: 49666 27 | condition: selection 28 | fields: 29 | - id.orig_h 30 | falsepositives: 31 | - This may detect legitimate Active Directory domain control replication/sync activity (perhaps filter by inbound/outbound IP addresses of your known DCs) 32 | level: low -------------------------------------------------------------------------------- /2023_Impacket/smbclient/file_event_win_impacket_exe.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Exe File Event With System Image 2 | id: 2ace112a-1717-4648-b0f8-51796f36c58e 3 | status: experimental 4 | description: Detects potential SMB file creation activity associated with Impacket smbclient.py. 5 | references: 6 | - https://github.com/fortra/impacket/blob/impacket_0_10_0/examples/smbclient.py 7 | author: Micah Babinski 8 | date: 2023/04/16 9 | tags: 10 | - attack.lateral_movement 11 | - attack.t1105 12 | logsource: 13 | product: windows 14 | category: file_event 15 | detection: 16 | selection: 17 | TargetFilename|endswith: '.exe' 18 | Image: System 19 | User: 'NT Authority\Sytem' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: low -------------------------------------------------------------------------------- /2023_OneNote_Malware/create_stream_hash_double_extension.yml: -------------------------------------------------------------------------------- 1 | title: Download by Process with Double File Extension 2 | id: 60dbde0d-57dc-40e4-a95c-3488f319f216 3 | status: experimental 4 | description: Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files. 5 | references: 6 | - https://isc.sans.edu/diary/rss/29470 7 | - Home lab research by Micah Babinski 8 | author: Micah Babinski, @micahbabinski 9 | date: 2023/01/30 10 | tags: 11 | - attack.defense_evasion 12 | - attack.command_and_control 13 | - attack.t1218 14 | - attack.t1218.009 15 | - attack.t1071 16 | - attack.t1071.004 17 | logsource: 18 | category: create_stream_hash 19 | product: windows 20 | detection: 21 | selection: 22 | Image|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$ 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2023_OneNote_Malware/dns_query_double_extension.yml: -------------------------------------------------------------------------------- 1 | title: DNS Query From Process with Double File Extension 2 | id: 42f77908-d267-41ee-bf58-623f5d101d91 3 | status: experimental 4 | description: Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files. 5 | references: 6 | - https://isc.sans.edu/diary/rss/29470 7 | - Home lab research by Micah Babinski 8 | author: Micah Babinski, @micahbabinski 9 | date: 2023/01/30 10 | tags: 11 | - attack.defense_evasion 12 | - attack.command_and_control 13 | - attack.t1218 14 | - attack.t1218.009 15 | - attack.t1071 16 | - attack.t1071.004 17 | logsource: 18 | category: dns_query 19 | product: windows 20 | detection: 21 | selection: 22 | Image|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$ 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2023_OneNote_Malware/file_event_double_extension.yml: -------------------------------------------------------------------------------- 1 | title: File Creation by Process with Double File Extension 2 | id: 96eba19d-a7ac-494b-8901-112dfc0afa6a 3 | status: experimental 4 | description: Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files. 5 | references: 6 | - https://isc.sans.edu/diary/rss/29470 7 | - Home lab research by Micah Babinski 8 | author: Micah Babinski, @micahbabinski 9 | date: 2023/01/30 10 | tags: 11 | - attack.defense_evasion 12 | - attack.command_and_control 13 | - attack.t1218 14 | - attack.t1218.009 15 | - attack.t1071 16 | - attack.t1071.004 17 | logsource: 18 | category: network_connection 19 | product: windows 20 | detection: 21 | selection: 22 | Image|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$ 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2023_OneNote_Malware/net_connection_win_double_extension.yml: -------------------------------------------------------------------------------- 1 | title: Network Connection From Process with Double File Extension 2 | id: 5deb364c-12e2-4abc-936f-28139aba68a9 3 | status: experimental 4 | description: Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files. 5 | references: 6 | - https://isc.sans.edu/diary/rss/29470 7 | - Home lab research by Micah Babinski 8 | author: Micah Babinski, @micahbabinski 9 | date: 2023/01/30 10 | tags: 11 | - attack.defense_evasion 12 | - attack.command_and_control 13 | - attack.t1218 14 | - attack.t1218.009 15 | - attack.t1071 16 | - attack.t1071.004 17 | logsource: 18 | category: network_connection 19 | product: windows 20 | detection: 21 | selection: 22 | Image|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$ 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: high -------------------------------------------------------------------------------- /2023_OneNote_Malware/win_proc_creation_double_extension.yml: -------------------------------------------------------------------------------- 1 | title: Process Creation With Double File Extension 2 | id: dd980d89-f015-4d55-b762-ef200843308c 3 | status: experimental 4 | description: Detects process creation utilizing double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files. 5 | references: 6 | - https://www.pcmag.com/encyclopedia/term/double-extension 7 | - Original research by Micah Babinski 8 | author: Micah Babinski, @micahbabinski 9 | date: 2023/01/30 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1036 13 | - attack.t1036.007 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection1: 19 | ParentImage|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$ 20 | selection2: 21 | Image|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$ 22 | condition: selection1 or selection2 23 | falsepositives: 24 | - Unknown 25 | level: high -------------------------------------------------------------------------------- /2023_OneNote_Malware/win_proc_creation_regasm_process_injection.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Process Injection to RegAsm 2 | id: c94e87b8-7529-4582-9572-96cd61f7464c 3 | status: experimental 4 | description: Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT and Quasar RAT using malicious OneNot files. 5 | references: 6 | - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool 7 | - https://any.run/report/6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e/031d98bb-3696-4369-8202-2130e87f93d3 8 | author: Micah Babinski (@micahbabinski) 9 | date: 2023/01/29 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1218 13 | - attack.t1218.009 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection1: 19 | ParentImage|endswith: '\RegAsm.exe' 20 | ParentCommandLine|endswith: 21 | - 'RegAsm.exe' 22 | - 'RegAsm.exe"' 23 | selection2: 24 | Image|endswith: '\RegAsm.exe' 25 | CommandLine|endswith: 26 | - 'RegAsm.exe' 27 | - 'RegAsm.exe"' 28 | condition: selection1 or selection2 29 | falsepositives: 30 | - Unknown 31 | level: high -------------------------------------------------------------------------------- /2023_OneNote_Malware/win_proc_right_to_left_override.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Command Line Containing Right-to-Left Override 2 | id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 3 | status: experimental 4 | description: Detects the presence of the u202+E character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used in obfuscation and masquerading techniques. 5 | references: 6 | - https://redcanary.com/blog/right-to-left-override/ 7 | - https://unicode-explorer.com/c/202E 8 | author: Micah Babinski, @micahbabinski 9 | date: 2023/01/30 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1036 13 | - attack.t1036.002 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | # you can't see it, but trust me, there's a right-to-left override character in the regex below! :P 20 | CommandLine|re: ^.*‮.*$ 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: high -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_bypassing_controls.yml: -------------------------------------------------------------------------------- 1 | title: Command Shell Bypassing Security Controls (RedCanary Threat Detection Report) 2 | id: e76af6c9-1c66-4ed7-9a36-b2f905e2e78c 3 | status: experimental 4 | description: Detects command line strings which indicate potential attempts to bypass controls. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.003 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\cmd.exe' 18 | CommandLine|contains: 19 | - 'bypass' 20 | - '-exec' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_explorer_start_exit_cmd.yml: -------------------------------------------------------------------------------- 1 | title: Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report) 2 | id: c4e301d9-9f2d-4a81-9c98-60596edb55a3 3 | status: experimental 4 | description: | 5 | Detects instances of explorer.exe spawning cmd.exe along with corresponding start and 6 | exit commands that we commonly observe in conjunction with a wide variety of malicious 7 | activity. Part of the RedCanary 2023 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2023/05/10 12 | tags: 13 | - attack.execution 14 | - attack.t1059.003 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | ParentImage|endswith: '\explorer.exe' 21 | Image|endswith: '\cmd.exe' 22 | CommandLine|contains|all: 23 | - 'start' 24 | - 'exit' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_obfuscated_commands.yml: -------------------------------------------------------------------------------- 1 | title: Command Shell Obfuscated Commands (RedCanary Threat Detection Report) 2 | id: b6aed14c-95a2-4e03-9949-70bc73c08b64 3 | status: experimental 4 | description: Detects command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.003 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\cmd.exe' 18 | # regex below looks for eight or more total instances of the suspicious characters 19 | CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$' 20 | condition: selection 21 | falsepositives: 22 | - Legitimate processes with long or convoluted command lines. 23 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_schtasks_create_shell.yml: -------------------------------------------------------------------------------- 1 | title: Windows Scheduled Task Create Shell (RedCanary Threat Detection Report) 2 | id: a916cc1b-7f0e-46b4-9c77-c80b1f2ba26b 3 | status: experimental 4 | description: Detects attempts to establish persistence using schtasks and command shell. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.003 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\schtasks.exe' 18 | CommandLine|contains|windash: 19 | - 'create' 20 | - 'cmd' 21 | - '/c' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_susp_process_ancestry.yml: -------------------------------------------------------------------------------- 1 | title: Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report) 2 | id: 60cb2beb-d2ba-4a47-ad68-e97576985c70 3 | status: experimental 4 | description: Detects IIS worker process spawning command shell. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.003 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage|endswith: 18 | - '\w3wp.exe' 19 | - '\wmiprvse.exe' 20 | Image|endswith: '\cmd.exe' 21 | CommandLine|contains: 22 | - 'http://' 23 | - 'https://' 24 | - 'echo' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_svc_shell_command.yml: -------------------------------------------------------------------------------- 1 | title: Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report) 2 | id: 80f850be-12ea-4bb8-b000-6e485dc821f5 3 | status: experimental 4 | description: | 5 | Detects suspect command line strings in CMD processes spawned by services.exe. 6 | Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.execution 13 | - attack.t1059.003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | ParentImage|endswith: '\services.exe' 20 | Image|endswith: '\cmd.exe' 21 | CommandLine|contains|windash: 22 | - 'echo' 23 | - '/c' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_ingress_tool_transfer_bitsadmin_download.yml: -------------------------------------------------------------------------------- 1 | title: BITSAdmin Downloading Malicious Binaries (RedCanary Threat Detection Report) 2 | id: 0a6b7cc5-f28e-4795-94bf-48112d89664b 3 | status: experimental 4 | description: | 5 | Detects attempts to bypass security controls using bitsadmin.exe to download malicious code. 6 | Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.command_and_control 13 | - attack.t1105 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\bitsadmin.exe' 20 | CommandLine|contains: 21 | - 'download' 22 | - 'transfer' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_ingress_tool_transfer_certutil_download.yml: -------------------------------------------------------------------------------- 1 | title: Certutil Downloading Malicious Binaries (RedCanary Threat Detection Report) 2 | id: 5da5a0a0-e610-4d72-9562-339eafdef216 3 | status: experimental 4 | description: | 5 | Detects attempts to bypass security controls using certutil.exe to download malicious code. 6 | Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.command_and_control 13 | - attack.t1105 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\certutil.exe' 20 | CommandLine|contains: 21 | - 'urlcache' 22 | - 'split' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_lsass_access.yml: -------------------------------------------------------------------------------- 1 | title: Abnormal LSASS Process Access and Injection (RedCanary Threat Detection Report) 2 | id: c62c85ad-bbe7-4937-b77a-2cc984a1449d 3 | status: experimental 4 | description: Detects suspicious cross-process events where LSASS is accessed. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.credential_access 11 | - attack.t1003.001 12 | logsource: 13 | category: process_access 14 | product: windows 15 | detection: 16 | selection: 17 | SourceImage|endswith: 18 | - '\powershell.exe' 19 | - '\taskmgr.exe' 20 | - '\rundll32.exe' 21 | - '\procdump.exe' 22 | - '\procexp.exe' 23 | TargetImage|endswith: '\lsass.exe' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_lsass_non_sytem.yml: -------------------------------------------------------------------------------- 1 | title: LSASS Running Under Non-Privileged User Context (RedCanary Threat Detection Report) 2 | id: c6624640-de9d-4933-a3dd-261cdeafdd18 3 | status: experimental 4 | description: | 5 | Detects instances of LSASS running under any non-privileged user context, which can indicate abuse. 6 | Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.credential_access 13 | - attack.t1003.001 14 | logsource: 15 | product: windows 16 | service: security 17 | detection: 18 | selection: 19 | EventID: 4688 20 | NewProcessName|endswith: '\lsass.exe' 21 | filter: 22 | SubjectUserSid: 'S-1-5-18' 23 | condition: selection and not filter 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_rundll32_minidump.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 Dumping Credentials with MiniDump Function (RedCanary Threat Detection Report) 2 | id: b1bab1c9-9dc4-499e-aa9e-5c1b707c21e1 3 | status: experimental 4 | description: Detects processes that seem to be rundll32.exe along with a command line containing the term MiniDump. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.credential_access 11 | - attack.t1003.001 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\rundll32.exe' 18 | CommandLine|contains: 'MiniDump' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_susp_lineage.yml: -------------------------------------------------------------------------------- 1 | title: Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report) 2 | id: 1afbb031-8721-45b3-b2ed-856515f68558 3 | status: experimental 4 | description: | 5 | Detects potential LSASS abuse based on unusual parent-child process lineage patterns. 6 | Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.credential_access 13 | - attack.t1003.001 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection_1: 19 | ParentImage|endswith: '\lsass.exe' 20 | Image|endswith: 21 | - '\cmd.exe' 22 | - '\powershell.exe' 23 | - '\regsvr32.exe' 24 | - '\mstsc.exe' 25 | - '\dllhost.exe' 26 | selection_2: 27 | ParentImage|endswith: 28 | - '\explorer.exe' 29 | - '\cmd.exe' 30 | - '\lsass.exe' 31 | Image|endswith: '\lsass.exe' 32 | condition: 1 of selection* 33 | falsepositives: 34 | - Unknown 35 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_motw_bypass_iso_write_susp_folder.yml: -------------------------------------------------------------------------------- 1 | title: ISO File Write to Suspicious Folder (RedCanary Threat Detection Report) 2 | id: bedf5cac-6332-4463-98ab-818f9e31234c 3 | status: experimental 4 | description: Detects files written to user downloads folder or appdata folder, associated with Mark-of-the-Web Bypass. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/mark-of-the-web-bypass/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1553.005 12 | logsource: 13 | category: file_event 14 | product: windows 15 | detection: 16 | selection_iso: 17 | TargetFilename|endswith: '.iso' 18 | selection_user_downloads: 19 | TargetFilename|contains|all: 20 | - 'Users' 21 | - 'Downloads' 22 | selection_appdata: 23 | TargetFilename|contains: 'appdata' 24 | condition: selection_iso and (selection_user_downloads or selection_appdata) 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_process_injection_powershell_injection.yml: -------------------------------------------------------------------------------- 1 | title: Powershell Injecting Into Anything (RedCanary Threat Detection Report) 2 | id: 3556964d-5ade-438c-bc68-58e0c64a70ec 3 | status: experimental 4 | description: Detects instances of PowerShell accessing any other processes. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/process-injection/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.privilege_escalation 11 | - attack.t1055 12 | logsource: 13 | category: process_access 14 | product: windows 15 | detection: 16 | selection: 17 | SourceImage|endswith: '\powershell.exe' 18 | condition: selection 19 | falsepositives: 20 | - Unknown 21 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_process_injection_susp_net_conn.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Network Connections (RedCanary Threat Detection Report) 2 | id: f3b0b17c-0e4b-45e5-b88e-521d2c3f6ae1 3 | status: experimental 4 | description: Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/process-injection/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.privilege_escalation 11 | - attack.t1055 12 | logsource: 13 | category: network_connection 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\notepad.exe' 18 | condition: selection 19 | falsepositives: 20 | - Unknown 21 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_base64_encoding.yml: -------------------------------------------------------------------------------- 1 | title: Powershell Base64 Encoding (RedCanary Threat Detection Report) 2 | id: 4becc177-8fc7-40b4-aa12-ee55202bbe95 3 | status: experimental 4 | description: Detects the execution of powershell.exe with base64 Option. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.001 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\powershell.exe' 18 | CommandLine|contains: 'base64' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_encoded_command_switch.yml: -------------------------------------------------------------------------------- 1 | title: Powershell Encoded Command Switch (RedCanary Threat Detection Report) 2 | id: 8446b07e-3088-403f-b93e-5a62d88e8dc5 3 | status: experimental 4 | description: Detects the execution of powershell.exe with command lines that include variations of the -encodedcommand argument. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.001 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\powershell.exe' 18 | CommandLine|contains: '-e' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_obfuscated_commands.yml: -------------------------------------------------------------------------------- 1 | title: Powershell Obfuscated Commands (RedCanary Threat Detection Report) 2 | id: df39fa21-d6b5-490e-85ef-d9b379707ac8 3 | status: experimental 4 | description: Detects powershell command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.001 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\powershell.exe' 18 | # regex below looks for eight or more total instances of the suspicious characters 19 | CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$' 20 | condition: selection 21 | falsepositives: 22 | - Legitimate processes with long or convoluted command lines. 23 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_susp_cmdlets.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Powershell Commandlets (RedCanary Threat Detection Report) 2 | id: 68490f55-bf8d-489d-995a-5ceae34ce215 3 | status: experimental 4 | description: Detects the execution of powershell.exe with suspicious cmdlets or options. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1059.001 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\powershell.exe' 18 | CommandLine|contains: 19 | - '-nop' 20 | - '-noni' 21 | - 'invoke-expression' 22 | - 'iex' 23 | - '.downloadstring' 24 | - 'downloadfile' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rename_sys_utils_unexpected_internal_name.yml: -------------------------------------------------------------------------------- 1 | title: Unexpected Internal Process Name (RedCanary Threat Detection Report) 2 | id: e930ba8f-388a-4436-8326-4ffb1c52b111 3 | status: experimental 4 | description: | 5 | Detects powershell processes renamed to notepad.exe. This is a narrow example for 6 | demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1036.003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\notepad.exe' 20 | OriginalFileName: 'PowerShell.EXE' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rename_sys_utils_unusual_cmdlines.yml: -------------------------------------------------------------------------------- 1 | title: Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report) 2 | id: 23aafdd3-8476-49a0-8377-54d26bf7847f 3 | status: experimental 4 | description: | 5 | Detects non-powershell.exe processes executing with command lines that are usually 6 | associated with powershell. This is an example for demonstration purposes only. 7 | Part of the RedCanary 2023 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2023/05/10 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1036.003 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | CommandLine|contains: 21 | - 'iex' 22 | - 'invoke-expression' 23 | filter_pwsh: 24 | Image|endswith: '\powershell.exe' 25 | condition: selection and not filter_pwsh 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_app_bypass_dllregisterserver.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 Application Bypass with DllRegisterServer Function (RedCanary Threat Detection Report) 2 | id: f6d0c39a-96fe-45c5-b3c8-7dbea2a3f34c 3 | status: experimental 4 | description: Detects the DllRegisterServer export function implemented with Rundll32. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1218.011 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\rundll32.exe' 18 | CommandLine|contains: 'DllRegisterServer' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_inject_to_lsass.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 Injection into LSASS (RedCanary Threat Detection Report) 2 | id: 7aa20f5c-6100-46c9-8885-427110e0c0e5 3 | status: experimental 4 | description: Detects instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1218.011 12 | logsource: 13 | category: process_access 14 | product: windows 15 | detection: 16 | selection: 17 | SourceImage|endswith: '\rundll32.exe' 18 | TargetImage|endswith: '\lsass.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_no_cmdline.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 Without a Command Line (RedCanary Threat Detection Report) 2 | id: 2a2bd094-ecd0-4b19-afb7-c2547b0bdf30 3 | status: experimental 4 | description: Detects instances of Rundll32 without a command line spawning child processes. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1218.011 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage|endswith: '\rundll32.exe' 18 | ParentCommandLine: 19 | - 'rundll32.exe' 20 | - 'rundll32' 21 | - '' 22 | - null 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_susp_lineage.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 Suspicious Process Lineage (RedCanary Threat Detection Report) 2 | id: d4ae7bf0-8325-4a1f-9d72-0da717d9d757 3 | status: experimental 4 | description: Detects instances of Rundll32 being spawned by unusual or suspicious parent processes. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1218.011 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\rundll32.exe' 18 | ParentImage|endswith: 19 | - '\winword.exe' 20 | - '\excel.exe' 21 | - '\msaccess.exe' 22 | - '\lsass.exe' 23 | - '\taskeng.exe' 24 | - '\winlogon.exe' 25 | - '\schtasks.exe' 26 | - '\regsvr32.exe' 27 | - '\wmiprvse.exe' 28 | - '\wsmprovhost.exe' 29 | condition: selection 30 | falsepositives: 31 | - Unknown 32 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_setuid_setgid_binary_search.yml: -------------------------------------------------------------------------------- 1 | title: Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report) 2 | id: 1312409d-9cf1-43c4-82dd-25f5ef59283c 3 | status: experimental 4 | description: | 5 | Detects search for setuid or setgid binaries. This rule looks specifically for execution of the find 6 | binary searching for executables with the setuid or setgid bit set. Part of the RedCanary 2023 7 | Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/setuid-setgid/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2023/05/10 12 | tags: 13 | - attack.privilege_escalation 14 | - attack.t1548.001 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection_1: 20 | Image|contains: 'find' 21 | selection_2: 22 | CommandLine|contains: '-perm' 23 | selection_3: 24 | CommandLine|contains: 25 | - '4000' 26 | - '2000' 27 | - 'u=s' 28 | - 'g=s' 29 | condition: all of selection_* 30 | falsepositives: 31 | - Unknown 32 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_file_write.yml: -------------------------------------------------------------------------------- 1 | title: File Writes Within Admin Shares (RedCanary Threat Detection Report) 2 | id: 7d5c80c9-c2a0-4eeb-9988-3d1ac170ffc0 3 | status: experimental 4 | description: Detects files written to an Admin Share. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.lateral_movement 11 | - attack.t1021.002 12 | logsource: 13 | category: file_event 14 | product: windows 15 | detection: 16 | selection: 17 | TargetFilename|endswith: 18 | - '.exe' 19 | - '.dll' 20 | - '.bat' 21 | TargetFilename|contains: 22 | - 'ADMIN$' 23 | - 'IPC$' 24 | - 'C$' 25 | condition: selection 26 | falsepositives: 27 | - Depends; may require baselining and exclusions for legitimate use. 28 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_impacket_svc_via_registry.yml: -------------------------------------------------------------------------------- 1 | title: Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report) 2 | id: 187ac7b5-f919-446b-93b3-cde8a6506d64 3 | status: experimental 4 | description: Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.lateral_movement 11 | - attack.t1021.002 12 | logsource: 13 | category: registry_add 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\services.exe' 18 | EventType: 'CreateKey' 19 | TargetObject: 'HKLM\System\CurrentControlSet\Services\BTOBTO' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_process_execution.yml: -------------------------------------------------------------------------------- 1 | title: Process Execution from Admin Share (RedCanary Threat Detection Report) 2 | id: 508ffe6a-8d07-4162-a000-fbf939a23b92 3 | status: experimental 4 | description: Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.lateral_movement 11 | - attack.t1021.002 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine|contains: 18 | - 'ADMIN$' 19 | - 'IPC$' 20 | - 'C$' 21 | condition: selection 22 | falsepositives: 23 | - Depends; may require baselining and exclusions for legitimate use. 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_office_products_spawning_wmic.yml: -------------------------------------------------------------------------------- 1 | title: Office Products Spawning WMI (RedCanary Threat Detection Report) 2 | id: 6335a2c2-5339-443a-b00c-ebffc9ffc321 3 | status: experimental 4 | description: Detects MS Office applications spawning WMI processes. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1047 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage|endswith: 18 | - '\winword.exe' 19 | - '\excel.exe' 20 | Image|endswith: 21 | - '\wmic.exe' 22 | - '\wmiprvse.exe' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_reconnaissance.yml: -------------------------------------------------------------------------------- 1 | title: WMI Reconnaissance (RedCanary Threat Detection Report) 2 | id: 4f2f005d-8755-4ff8-9086-179fc632a850 3 | status: experimental 4 | description: Detects the wmic reconnaissance activity. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1047 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\wmic.exe' 18 | CommandLine|contains: 19 | - '\ldap' 20 | - 'ntdomain' 21 | condition: selection 22 | falsepositives: 23 | - Unknown. 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_shadow_copy_deletion.yml: -------------------------------------------------------------------------------- 1 | title: WMI Shadow Copy Deletion (RedCanary Threat Detection Report) 2 | id: 31b52a76-ef7a-40dd-8bb1-9c1671f04d0a 3 | status: experimental 4 | description: Detects wmic shadow copy deletion activity. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1047 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\wmic.exe' 18 | CommandLine|contains|all: 19 | - 'shadowcopy' 20 | - 'delete' 21 | condition: selection 22 | falsepositives: 23 | - Unknown. 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_commands.yml: -------------------------------------------------------------------------------- 1 | title: WMI Suspicious Commands (RedCanary Threat Detection Report) 2 | id: fd4852d8-3464-4639-acc5-f9cf9553a396 3 | status: experimental 4 | description: Detects the wmic process with suspicious options. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1047 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\wmic.exe' 18 | CommandLine|contains: 19 | - 'create' 20 | - 'node:' 21 | - 'process' 22 | - 'call' 23 | condition: selection 24 | falsepositives: 25 | - Likely will require tuning based on organizational context. 26 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_lineage.yml: -------------------------------------------------------------------------------- 1 | title: WMI Suspicious Process Lineage (RedCanary Threat Detection Report) 2 | id: 03fd0ccb-e246-451d-9923-f0698642a0ec 3 | status: experimental 4 | description: Detects the WMI provider host spawning suspicious processes. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1047 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage|endswith: '\wmiprvse.exe' 18 | Image|endswith: 19 | - '\rundll32.exe' 20 | - '\msbuild.exe' 21 | - '\powershell.exe' 22 | - '\cmd.exe' 23 | - '\mshta.exe' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_pwsh_cmdlets.yml: -------------------------------------------------------------------------------- 1 | title: WMI Suspicious Powershell Cmdlets (RedCanary Threat Detection Report) 2 | id: 75b32717-173f-45d0-9447-be84f8bdcce5 3 | status: experimental 4 | description: Detects WMI-related suspicious powershell cmdlets. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1047 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\powershell.exe' 18 | CommandLine|contains: 19 | - 'invoke-wmimethod' 20 | - 'invoke-cimmethod' 21 | - 'get-wmiobject' 22 | - 'get-ciminstance' 23 | - 'wmiclass' 24 | condition: selection 25 | falsepositives: 26 | - Unknown. 27 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_unusual_module_loads.yml: -------------------------------------------------------------------------------- 1 | title: WMIC Unusual Module Loads (RedCanary Threat Detection Report) 2 | id: 674d5957-41a2-47df-ad91-1833379632a6 3 | status: experimental 4 | description: Detects the wmic process module loads potentially to perform application control bypasses. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.execution 11 | - attack.t1047 12 | logsource: 13 | category: image_load 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\wmic.exe' 18 | ImageLoaded|endswith: 19 | - '\jscript.dll' 20 | - '\vbscript.dll' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_adsearch_reg_runkey_persistence_execution.yml: -------------------------------------------------------------------------------- 1 | title: AdSearch Reg Runkey Persistence Execution (RedCanary Threat Detection Report) 2 | id: b50624c2-7867-4685-817e-88c72da264c7 3 | status: experimental 4 | description: Detects registry modifications to CurrentVersion\Run key, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/adsearch/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.persistence 11 | - attack.t1547.001 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine|contains|all: 18 | - 'reg' 19 | - 'add' 20 | - 'currentversion\run' 21 | condition: selection 22 | falsepositives: 23 | - Rule is likely to require tuning to exclude normal, authorized activity 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_adsearch_startup_folder_persistence.yml: -------------------------------------------------------------------------------- 1 | title: AdSearch Startup Folder Persistence File Creation (RedCanary Threat Detection Report) 2 | id: 739d97f7-96e3-4e96-aebb-574b4f19d034 3 | status: experimental 4 | description: Detects file creations by cscript in the startup folder, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/adsearch/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.persistence 11 | - attack.t1547.001 12 | logsource: 13 | category: file_event 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\cscript.exe' 18 | TargetFilename|contains: 'start menu\programs\startup' 19 | condition: selection 20 | falsepositives: 21 | - Rule is likely to require tuning to exclude normal, authorized activity 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_bloodhound_common_cmd_actions.yml: -------------------------------------------------------------------------------- 1 | title: Common BloodHound Command-Line Options (RedCanary Threat Detection Report) 2 | id: 2b7d1fff-74b3-496c-b8f9-3bd90ba102c5 3 | status: experimental 4 | description: Detects common BloodHound parameters in command line strings. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/bloodhound/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0521 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | CommandLine|contains: 17 | - '-collectionmethod' 18 | - 'invoke-bloodhound' 19 | - 'get-bloodhounddata' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_beacon_getsystem_cmd_pattern.yml: -------------------------------------------------------------------------------- 1 | title: Cobalt Strike Beacon Getsystem Pattern (RedCanary Threat Detection Report) 2 | id: 187c05df-debd-40ed-a59e-1163703bb1de 3 | status: experimental 4 | description: Detects command line pattern indicating the use of Cobalt Strike GetSystem feature. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/cobalt-strike/ 7 | - https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/ 8 | author: RedCanary, Sigma formatting by Micah Babinski 9 | date: 2023/05/10 10 | tags: 11 | - attack.s0154 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\cmd.exe' 18 | CommandLine|re: '^.*echo\s+[0-9a-f]{11}\s+\>\;?\s+\\\\\.\\pipe\\[0-9a-f]{6}.*$' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_beacon_implant.yml: -------------------------------------------------------------------------------- 1 | title: Cobalt Strike Beacon Implant Command Issued via Named Pipe (RedCanary Threat Detection Report) 2 | id: 0da8f33f-2703-4a4e-92f8-a6090a31b1e1 3 | status: experimental 4 | description: Detects named pipe creation indicating Cobalt Strike beacon implant issuing commands via SMB named pipe. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/cobalt-strike/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0154 11 | logsource: 12 | category: pipe_created 13 | product: windows 14 | detection: 15 | selection: 16 | PipeName|startswith: 17 | - '\msagent_' 18 | - '\interprocess_' 19 | - '\lsarpc_' 20 | - '\samr_' 21 | - '\netlogon_' 22 | - '\wkssvc_' 23 | - '\srvsvc_' 24 | - '\mojo_' 25 | - '\postex_' 26 | - '\status_' 27 | - '\msse-' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_uac_bypass_w_cliconfg.yml: -------------------------------------------------------------------------------- 1 | title: Cobalt Strike UAC Bypass Using SQL Server Client Configuration Utility (RedCanary Threat Detection Report) 2 | id: 405ec76f-7d77-464d-b28b-4f5d9131346b 3 | status: experimental 4 | description: Detects a possible Cobalt Strike UAC bypass attempt using cliconfg.exe, the SQL Server Client Configuration Utility. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/cobalt-strike/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0154 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | ParentImage|endswith: '\rundll32.exe' 17 | Image|endswith: '\cliconfg.exe' 18 | condition: selection 19 | falsepositives: 20 | - Unknown 21 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_emotet_excel_regsvr32_execution.yml: -------------------------------------------------------------------------------- 1 | title: 'Emotet: Regsvr32 Execution from Microsoft Excel (RedCanary Threat Detection Report)' 2 | id: 2cbe546e-8c8a-41ab-80d4-aadd2961b3c7 3 | status: experimental 4 | description: Detects Regsvr32 execution from Excel, a technique associated with Emotet. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/emotet/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0367 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | ParentImage|endswith: '\excel.exe' 17 | Image|endswith: '\regsvr32.exe' 18 | condition: selection 19 | falsepositives: 20 | - Unknown 21 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_gamarue_rundll32_dll_filename.yml: -------------------------------------------------------------------------------- 1 | title: Potential Gamarue DLL Filename (RedCanary Threat Detection Report) 2 | id: 62989cd5-4d35-4ce8-a1fd-73673c25d0f4 3 | status: experimental 4 | description: Detects Gamarue DLL filename in command line strings. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/gamarue/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.privilege_escalation 11 | - attack.t1055.001 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\rundll32.exe' 18 | CommandLine|re: '\S{10,70}\.\S{10,70},\w{16}' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_gootloader_appdata_js_execution.yml: -------------------------------------------------------------------------------- 1 | title: Gootloader JavaScript Execution in AppData Folder (RedCanary Threat Detection Report) 2 | id: 5e284df6-3a2e-4ac1-8907-29fdc6b43757 3 | status: experimental 4 | description: Detects execution of JavaScript (.js) files located in the AppData folder. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/gootloader/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\wscript.exe' 18 | CommandLine|re: '(?i)appdata\\.*\.js' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_gootloader_cscript_msdos_shortnames.yml: -------------------------------------------------------------------------------- 1 | title: Windows Scripting Host Executing JScript Files with MS-DOS Short Names (RedCanary Threat Detection Report) 2 | id: 1aa0b866-727e-480f-9694-6bd694e2855d 3 | status: experimental 4 | description: Detects Windows scripting host executing JavaScript files with MS-DOS shortname formatting, a technique associated with Gootloader. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/gootloader/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1036 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\cscript.exe' 18 | CommandLine|contains: '~1.js' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_impacket_atexec_execution.yml: -------------------------------------------------------------------------------- 1 | title: Impacket Atexec.py Execution (RedCanary Threat Detection Report) 2 | id: 6b588393-f45f-484b-8233-56bbc657c63c 3 | status: experimental 4 | description: Detects execution from Impacket's atexec.py. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/impacket/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0357 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | ParentImage|endswith: 17 | - '\svchost.exe' 18 | - '\taskeng.exe' 19 | CommandLine|contains|all: 20 | - 'cmd.exe' 21 | - 'windows\temp' 22 | - '2>&1' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_impacket_smbexec_execution.yml: -------------------------------------------------------------------------------- 1 | title: Impacket SMBexec.py Execution (RedCanary Threat Detection Report) 2 | id: 671651fd-62e1-48d7-b5e0-81b1746ec0dd 3 | status: experimental 4 | description: Detects execution from Impacket's smbexec.py. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/impacket/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0357 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | ParentImage|endswith: '\services.exe' 17 | Image|endswith: '\cmd.exe' 18 | CommandLine|re: '(?i)cmd.exe \/Q \/c echo cd \^> \\\\127.0.0.1\\[a-zA-Z]{1,}\$\\__output 2\^>\^&1 > .* & ' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_impacket_wmiexec_execution.yml: -------------------------------------------------------------------------------- 1 | title: Impacket WMIExec.py Execution (RedCanary Threat Detection Report) 2 | id: 26d79902-98ac-43f8-b669-99486e2b5126 3 | status: experimental 4 | description: Detects execution from Impacket's wmiexec.py. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/impacket/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0357 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | ParentImage|endswith: '\wmiprvse.exe' 17 | Image|endswith: '\cmd.exe' 18 | CommandLine|re: '(?i)cmd.exe \/Q \/c .*\\\\127.0.0.1\\ADMIN\$\\__[0-9]{1,10}\.[0-9]{1,10} 2>&1' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_mimikatz_kirbi_file_creation.yml: -------------------------------------------------------------------------------- 1 | title: Mimikatz .kirbi File Creation (RedCanary Threat Detection Report) 2 | id: 3f5c1eae-a9ef-44a2-bd04-a8a0e3762ec3 3 | status: experimental 4 | description: Detects .kirbi files created, commonly associated with Mimikatz. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/mimikatz/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0002 11 | logsource: 12 | category: file_event 13 | product: windows 14 | detection: 15 | selection: 16 | TargetFilename|endswith: '.kirbi' 17 | condition: selection 18 | falsepositives: 19 | - Unknown 20 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_mimikatz_module_names_in_cmdline.yml: -------------------------------------------------------------------------------- 1 | title: Mimikatz Module Names in Command Line (RedCanary Threat Detection Report) 2 | id: ca5d91c2-3411-4085-a003-d7df8ce60244 3 | status: experimental 4 | description: Detects presence of common Mimikatz module names in command line strings. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/mimikatz/ 7 | - https://github.com/gentilkiwi/mimikatz/wiki (for additional module names) 8 | author: RedCanary, Sigma formatting by Micah Babinski 9 | date: 2023/05/10 10 | tags: 11 | - attack.s0002 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | CommandLine|contains: 18 | - 'sekurlsa::logonpasswords' 19 | - 'lsadump::sam' 20 | - 'sekurlsa::minidump' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_plugx_wsc_proxy_dll_search_order_hijacking.yml: -------------------------------------------------------------------------------- 1 | title: PlugX DLL Search Order Hijacking Using Avast wsc_proxy (RedCanary Threat Detection Report) 2 | id: c518ac74-2e2b-4197-84d7-ea5118c557eb 3 | status: experimental 4 | description: | 5 | Detects possible DLL Search Order hijacking using Avast antivirus wsc_proxy application. 6 | This technique is associated with PlugX. Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/threats/raspberry-robin/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.s0013 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | Image|endswith: '\wsc_proxy.exe' 19 | filter: 20 | Image|contains: '\program files\' 21 | condition: selection and not filter 22 | falsepositives: 23 | - Could be the result of an administrator installing the application in a custom path 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_qbot_mounted_drive_execution.yml: -------------------------------------------------------------------------------- 1 | title: QBot Mounted Drive Execution (RedCanary Threat Detection Report) 2 | id: 949afe0b-2d45-4999-be9c-fe4808b8a68b 3 | status: experimental 4 | description: Detects process creation from wscript or cscript interpreters with commands occuring on mounted drive letters. Defenders should check whether these processes have child processes. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/qbot/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0650 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | ParentImage|endswith: '\explorer.exe' 17 | Image|endswith: 18 | - '\wscript.exe' 19 | - '\cscript.exe' 20 | CommandLine|re: '[d-z]:\\[^\\]+\.(?:js|vbs|wsf)' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_qbot_rundll32_non_standard_file_proxy_execution.yml: -------------------------------------------------------------------------------- 1 | title: QBot rundll32.exe Non-standard File Proxy Execution (RedCanary Threat Detection Report) 2 | id: bb1cfac0-eca2-4803-9acd-aa75f5b84ff4 3 | status: experimental 4 | description: Detects Rundll32.exe process creations with non-standard file types denoted by excluding the common file types from the command-=line selection. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/qbot/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.s0650 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection: 16 | Image|endswith: '\rundll32.exe' 17 | filter: 18 | CommandLine|contains: 19 | - '.dll' 20 | - '.cpl' 21 | - '.ax' 22 | - '.ocx' 23 | - '.inf' 24 | condition: selection and not filter 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_raspberry_robin_msiexec_execution.yml: -------------------------------------------------------------------------------- 1 | title: Possible Raspberry Robin DLL Download Using msiexec (RedCanary Threat Detection Report) 2 | id: 60a7350b-38b0-4f44-b2e8-e7b284516bd0 3 | status: experimental 4 | description: Detects msiexec used to download a potentially-malicious Raspberry Robin DLL. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/raspberry-robin/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.command_and_control 11 | - attack.t1105 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection_img: 17 | Image|endswith: '\msiexec.exe' 18 | selection_cmd_1: 19 | CommandLine|contains: 20 | - 'http:' 21 | - 'https:' 22 | selection_cmd_2: 23 | CommandLine|contains|windash: '/q' 24 | condition: all of selection_* 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_socgholish_nltest_domain_trust_enumeration.yml: -------------------------------------------------------------------------------- 1 | title: SocGholish NLTest Domain Trust Enumeration (RedCanary Threat Detection Report) 2 | id: cdd824c2-ebda-404e-ad62-b2acf251976a 3 | status: experimental 4 | description: Detects domain trust enumeration with nltest.exe, a procedure associated with SocGholish. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.discovery 11 | - attack.t1482 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\nltest.exe' 18 | CommandLine|contains|windash: 19 | - '/domain_trusts' 20 | - '/all_trusts' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_socgholish_whoami_output_to_file.yml: -------------------------------------------------------------------------------- 1 | title: SocGholish Script File Whoami Output to File (RedCanary Threat Detection Report) 2 | id: 0886986b-47e9-41e8-87c7-41b202503b24 3 | status: experimental 4 | description: Detects wscript spawning CMD which in turn runs whoami, with the output of the command directed to a file. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.discovery 11 | - attack.t1033 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | ParentImage|endswith: '\wscript.exe' 18 | Image|endswith: '\cmd.exe' 19 | CommandLine|contains|windash: 20 | - 'whoami /all >' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_startup_lnk_file.yml: -------------------------------------------------------------------------------- 1 | title: Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report) 2 | id: 874acb07-02f7-4c9f-8069-e0659c6d3fad 3 | status: experimental 4 | description: | 5 | Detects .lnk files created by Powershell in the startup folder. Associated with (but not unique to) 6 | Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2023/05/10 11 | tags: 12 | - attack.initial_access 13 | - attack.defense_evasion 14 | - attack.t1566 15 | logsource: 16 | category: file_event 17 | product: windows 18 | detection: 19 | selection_img: 20 | Image|endswith: '\powershell.exe' 21 | selection_filepath: 22 | TargetFilename|contains: 'start menu\programs\startup' 23 | selection_file_ext: 24 | TargetFilename|endswith: '.lnk' 25 | condition: all of selection* 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_susp_dotnet_methods.yml: -------------------------------------------------------------------------------- 1 | title: Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report) 2 | id: e2c6d4c8-2e14-47a8-b22c-e4c9e7e65d0e 3 | status: experimental 4 | description: Detects suspicious Powershell script load contents associated with Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report. 5 | references: 6 | - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/ 7 | author: RedCanary, Sigma formatting by Micah Babinski 8 | date: 2023/05/10 9 | tags: 10 | - attack.initial_access 11 | - attack.defense_evasion 12 | - attack.t1566 13 | logsource: 14 | category: ps_script 15 | product: windows 16 | definition: 'Requirements: Script Block Logging must be enabled' 17 | detection: 18 | selection: 19 | ScriptBlockText|contains: 20 | - 'aescryptoserviceprovider' 21 | - 'frombase64string' 22 | - 'user32.dll' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2023_WebDAV_SearchMS/file_event_win_webdav_tmpfile_creation.yml: -------------------------------------------------------------------------------- 1 | title: WebDAV Temporary Local File Creation 2 | id: 4c55738d-72d8-490e-a2db-7969654e375f 3 | status: experimental 4 | description: Detects the creation of WebDAV temporary files with suspicious extensions 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html 7 | author: Micah Babinski 8 | date: 2023/07/31 9 | modified: 2023/08/04 10 | tags: 11 | - attack.initial_access 12 | - attack.t1584 13 | - attack.t1566 14 | logsource: 15 | product: windows 16 | category: file_event 17 | detection: 18 | selection_1: 19 | TargetFilename|contains: 'AppData\Local\Temp\TfsStore\Tfs_DAV' 20 | selection_2: 21 | TargetFilename|endswith: 22 | - '.vbs' 23 | - '.ps1' 24 | - '.lnk' 25 | - '.zip' 26 | - '.ico' 27 | - '.bat' 28 | - '.js' 29 | condition: all of selection_* 30 | falsepositives: 31 | - Legitimate use of WebDAV in an environment 32 | level: low -------------------------------------------------------------------------------- /2023_WebDAV_SearchMS/proc_creation_win_webdav_lnk_execution.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious WebDAV LNK Execution 2 | id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe 3 | related: 4 | - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 5 | type: similar 6 | status: experimental 7 | description: Detects possible execution via LNK file accessed on a WebDAV server. 8 | references: 9 | - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html 10 | - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 11 | author: Micah Babinski 12 | date: 2023/07/31 13 | tags: 14 | - attack.execution 15 | - attack.t1059.001 16 | - attack.t1204 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection_img: 22 | ParentImage|endswith: '\explorer.exe' 23 | Image|endswith: 24 | - '\wscript.exe' 25 | - '\cscript.exe' 26 | - '\cmd.exe' 27 | selection_cmd: 28 | CommandLine|contains: '\DavWWWRoot\' 29 | condition: all of selection_* 30 | falsepositives: 31 | - Unknown 32 | level: high -------------------------------------------------------------------------------- /2023_WebDAV_SearchMS/proxy_webdav_search_ms.yml: -------------------------------------------------------------------------------- 1 | title: Search-ms and WebDAV Indicators in URL 2 | id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2 3 | status: experimental 4 | description: Detects URL pattern used by search(-ms)/WebDAV initial access campaign. 5 | references: 6 | - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html 7 | author: Micah Babinski 8 | date: 2023/07/31 9 | modified: 2023/08/04 10 | tags: 11 | - attack.initial_access 12 | - attack.t1584 13 | - attack.t1566 14 | logsource: 15 | category: proxy 16 | detection: 17 | selection_search_ms: 18 | c-uri|contains|all: 19 | - 'search' # matches on search:query= or search-ms:query= 20 | - ':query=' 21 | - 'webdav' 22 | selection_search_term: 23 | c-uri|contains: 24 | - 'invoice' 25 | - 'payment' 26 | - 'notice' 27 | - 'agreement' 28 | # add others! 29 | filter: 30 | dst_ip: 31 | - '127.0.0.0/8' 32 | - '10.0.0.0/8' 33 | - '172.16.0.0/12' 34 | - '192.168.0.0/16' 35 | condition: all of selection_* and not filter 36 | falsepositives: 37 | - Legitimate use of search-ms/search URI protocol 38 | level: high -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/file_creation_win_cicada_psexec.yml: -------------------------------------------------------------------------------- 1 | title: Cicada Ransomware PSExec File Creation 2 | id: 76cdd984-4b2b-465d-908f-d55ead0cdc9e 3 | status: experimental 4 | description: Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec. 5 | references: 6 | - https://blog.morphisec.com/cicada3301-ransomware-threat-analysis 7 | author: 'Micah Babinski, Based on Morphisec report by Michael Gorelik (@smgoreli)' 8 | date: 2024-09-07 9 | tags: 10 | - attack.lateral-movement 11 | - attack.execution 12 | - attack.t1570 13 | - attack.t1569 14 | - attack.t1569.002 15 | - attack.s0029 16 | logsource: 17 | category: file_event 18 | product: windows 19 | detection: 20 | selection: 21 | TargetFilename|contains: 'psexec' 22 | TargetFilename|startswith: 'C:\Users\Public' 23 | filter: 24 | TargetFilename|endswith: '\psexec.exe' 25 | condition: selection and not filter 26 | falsepositives: 27 | - Unknown 28 | level: medium -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/proc_creation_win_cicada3301_execution.yml: -------------------------------------------------------------------------------- 1 | title: Cicada3301 Ransomware Execution via PSExec 2 | id: 79495647-d84d-4804-9a52-5263cfdf2c63 3 | status: experimental 4 | description: | 5 | Detects the use of a potentially-renamed psexec to run the Cicada3301 ransomware tool. 6 | references: 7 | - https://engage.morphisec.com/threat-analysis-cicada3301 8 | author: 'Micah Babinski, Based on Morphisec report by Michael Gorelik (@smgoreli)' 9 | date: 2024-09-08 10 | tags: 11 | - attack.execution 12 | - attack.t1569 13 | - attack.t1569.002 14 | - attack.s0029 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection_1: 20 | - Image|endswith: '\psexec0.exe' 21 | - OriginalFileName: 'psexec.c' 22 | selection_2: 23 | CommandLine|contains: 24 | - '--key' 25 | - '--path' 26 | - '-p ' 27 | - '-s ' 28 | - '--no_local' 29 | - '--no_net' 30 | - '--no_impl' 31 | - '--no_notes' 32 | filter: 33 | Image|endswith: '\psexec.exe' 34 | condition: all of selection_* and not filter 35 | falsepositives: 36 | - Unknown 37 | level: high -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/proc_creation_win_hyperv_stopvm.yml: -------------------------------------------------------------------------------- 1 | title: Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets 2 | id: d42df972-2f45-44b0-8566-3de71b9ed3e9 3 | status: experimental 4 | description: Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware. 5 | references: 6 | - https://blog.morphisec.com/cicada3301-ransomware-threat-analysis 7 | related: 8 | - id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd # Suspicious Hyper-V Cmdlets - SigmaHQ/frack113 9 | type: derived 10 | author: 'Micah Babinski, Based on Morphisec report by Michael Gorelik (@smgoreli)' 11 | date: 2024-09-07 12 | tags: 13 | - attack.defense-evasion 14 | - attack.impact 15 | - attack.t1578 16 | - attack.t1578.003 17 | - attack.t1529 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | detection: 22 | selection_img: 23 | - Image|endswith: '\powershell.exe' 24 | - OriginalFileName: 'powershell.exe' 25 | selection_cmd: 26 | CommandLine|contains|all: 27 | - 'Get-VM' 28 | - 'Stop-VM' 29 | - '-Force' 30 | condition: all of selection_* 31 | falsepositives: 32 | - Unknown 33 | level: medium -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/proc_creation_win_iisreset_stop.yml: -------------------------------------------------------------------------------- 1 | title: IISReset Used to Stop IIS Services 2 | id: 3a56827c-353e-4e86-b429-674abae37f32 3 | status: experimental 4 | description: | 5 | Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users 6 | from accessing IIS web resources, thereby releasing/preventing locks which could inhibit 7 | ransomware-related encryption. 8 | references: 9 | - https://engage.morphisec.com/threat-analysis-cicada3301 10 | author: 'Micah Babinski, Based on Morphisec report by Michael Gorelik (@smgoreli)' 11 | date: 2024-09-07 12 | tags: 13 | - attack.impact 14 | - attack.defense-evasion 15 | - attack.t1562 16 | - attack.t1562.001 17 | - attack.t1529 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | detection: 22 | selection_1: 23 | - Image|endswith: '\iisreset.exe' 24 | - OriginalFileName: 'iisreset.exe.mui' 25 | selection_2: 26 | CommandLine|contains: '/stop' 27 | condition: all of selection_* 28 | falsepositives: 29 | - Legitimate use 30 | level: medium -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_applescript_applet_download_as_payload.yml: -------------------------------------------------------------------------------- 1 | title: In-memory Downloading and Compiling of Applets as Payloads 2 | id: 75933b00-4949-4cf0-a0e0-f234c3ff1407 3 | status: experimental 4 | description: | 5 | This analytic uses a single ES_EVENT_TYPE_NOTIFY_EXEC event and looks for 6 | the the execution of curl, |, or osacompile commands. Part of the RedCanary 7 | 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/applescript/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.execution 14 | - attack.t1059 15 | - attack.t1059.002 16 | logsource: 17 | product: macos 18 | category: process_creation 19 | detection: 20 | selection: 21 | CommandLine|contains|all: 22 | - 'osascript' 23 | - '|' 24 | - 'curl' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_applescript_input_prompt.yml: -------------------------------------------------------------------------------- 1 | title: Mac AppleScript Input Prompt 2 | id: cff40f2b-46e9-49cc-8ba5-dde6403ab453 3 | status: experimental 4 | description: | 5 | Adversaries leverage AppleScript to try to steal the user’s login password. 6 | This analytic attempts to detect that activity via the first variation. 7 | Part of the RedCanary 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/applescript/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.execution 14 | - attack.t1059 15 | - attack.t1059.002 16 | logsource: 17 | product: macos 18 | category: process_creation 19 | detection: 20 | selection: 21 | CommandLine|contains|all: 22 | - 'osascript' 23 | - 'display dialog' 24 | - 'password' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_bypass_security_controls.yml: -------------------------------------------------------------------------------- 1 | title: Bypassing Security Controls - Command Shell 2 | id: 2aaf3922-0a8b-4b7b-9c10-ea552bdff707 3 | status: experimental 4 | description: | 5 | Adversaries bypass controls using the Windows Command Shell in a plethora of ways, 6 | but you can detect the one we see most often with a simple combination of process 7 | execution and a corresponding command line. Part of the RedCanary 2024 Threat 8 | Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.execution 15 | - attack.t1059 16 | - attack.t1059.003 17 | - attack.defense_evasion 18 | - attack.t1202 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | Image|endswith: '\cmd.exe' 25 | CommandLine|contains: 26 | - 'bypass' 27 | - '-exec' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_explorer.yml: -------------------------------------------------------------------------------- 1 | title: Windows Explorer Spawning Command Shell with Start and Exit Commands 2 | id: ebb4eaad-9909-4785-a038-97bdee8aa5ae 3 | status: experimental 4 | description: | 5 | This detection analytic looks for instances of explorer.exe spawning cmd.exe along 6 | with corresponding start and exit commands that we commonly observe in conjunction 7 | with a wide variety of malicious activity. Part of the RedCanary 2024 Threat 8 | Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.execution 15 | - attack.t1059 16 | - attack.t1059.003 17 | - attack.t1053 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | detection: 22 | selection: 23 | ParentImage|endswith: '\explorer.exe' 24 | Image|endswith: '\cmd.exe' 25 | CommandLine|contains|all: 26 | - 'start' 27 | - 'exit' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_schtask.yml: -------------------------------------------------------------------------------- 1 | title: Windows Scheduled Task Creating Shell 2 | id: 8b1a34e3-c4d6-4af6-9836-35a0da09b85b 3 | status: experimental 4 | description: | 5 | Adversaries frequently establish persistence by using scheduled tasks to launch 6 | the Windows Command Shell. Detecting this behavior is relatively straightforward. 7 | Part of the RedCanary 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.execution 14 | - attack.t1059 15 | - attack.t1059.003 16 | - attack.t1053 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection1: 22 | Image|endswith: '\schtasks.exe' 23 | CommandLine|contains: 'create' 24 | selection2: 25 | CommandLine|contains: 26 | - 'cmd.exe /c' 27 | - 'cmd /c' 28 | condition: all of selection* 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_service_ctrl_mgr.yml: -------------------------------------------------------------------------------- 1 | title: Service Control Manager Spawning Command Shell with Suspect Strings 2 | id: cdf9f0ba-857a-4f91-9f30-724ade93b797 3 | status: experimental 4 | description: | 5 | The following pseudo detector should generate an alert when services.exe spawns 6 | cmd.exe along with a corresponding echo or /c command, which are common attributes 7 | of post exploitation that we’ve seen in association with this technique. Part of 8 | the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.execution 15 | - attack.t1059 16 | - attack.t1059.003 17 | - attack.t1569 18 | - attack.t1569.002 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | ParentImage|endswith: '\services.exe' 25 | Image|endswith: '\cmd.exe' 26 | CommandLine|contains: 27 | - 'echo' 28 | - '/c' 29 | condition: selection 30 | falsepositives: 31 | - Unknown 32 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_criteria.yml: -------------------------------------------------------------------------------- 1 | title: Email Forwarding Rule - Suspicious Forwarding Criteria 2 | id: 7315f2c5-892c-4c18-bda4-b788ef9219a2 3 | status: experimental 4 | description: | 5 | Detects the creation of email forwarding rules with suspicious strings indicating 6 | forwarding criteria meant to steal sensitive information. Part of the RedCanary 7 | 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/email-forwarding-rule/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.collection 14 | - attack.t1114 15 | - attack.t1114.003 16 | logsource: 17 | service: exchange 18 | product: m365 19 | detection: 20 | selection: 21 | Workload: 'Exchange' 22 | Operation: 23 | - 'New-InboxRule' 24 | - 'Set-InboxRule' 25 | Parameters|contains: 26 | - 'ACH' 27 | - 'Invoice' 28 | - 'Payroll' 29 | - 'Password Reset' 30 | - 'Login code' 31 | condition: selection 32 | falsepositives: 33 | - Unknown 34 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_names.yml: -------------------------------------------------------------------------------- 1 | title: Email Forwarding Rule - Suspicious Rule Names 2 | id: 47ea2a13-f863-4403-a672-00b3d940ac92 3 | status: experimental 4 | description: | 5 | Detects the creation of email forwarding rules with suspicious names. Part of the 6 | RedCanary 2024 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/email-forwarding-rule/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2024/03/21 11 | tags: 12 | - attack.collection 13 | - attack.t1114 14 | - attack.t1114.003 15 | logsource: 16 | service: exchange 17 | product: m365 18 | detection: 19 | selection_rule: 20 | Workload: 'Exchange' 21 | Operation: 22 | - 'New-InboxRule' 23 | - 'Set-InboxRule' 24 | selection_onechar: 25 | RuleName|re: '^\w{1}$' 26 | selection_susp_vals: 27 | RuleName: 28 | - '.' 29 | - '..' 30 | - 'aaaaa' 31 | - '……' 32 | - ';' 33 | condition: selection_rule and (selection_onechar or selection_susp_vals) 34 | falsepositives: 35 | - Unknown 36 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_bitsadmin_download.yml: -------------------------------------------------------------------------------- 1 | title: BITSAdmin Downloading Malicious Binaries 2 | id: b195646e-8455-4fa1-b78a-91bb92371152 3 | status: experimental 4 | description: | 5 | It is not unusual for adversaries, including ones who peddle ransomware, to use 6 | BITSAdmin to download arbitrary files from the internet in an effort to evade 7 | application blocklisting. The following analytic will look for the execution of 8 | bitsadmin.exe with command options that suggest a file is being downloaded. Part 9 | of the RedCanary 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.command_and_control 16 | - attack.t1105 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | Image|endswith: '\bitsadmin.exe' 23 | CommandLine|contains: 24 | - 'download' 25 | - 'transfer' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_certreq_download.yml: -------------------------------------------------------------------------------- 1 | title: Certreq Downloading Malicious Binaries 2 | id: da4eca65-03c5-497a-a8f0-d4b0534a5c53 3 | status: experimental 4 | description: | 5 | Just like certutil, certreq can also be abused by adversaries to download and 6 | upload data. The following analytic will look for the execution of certreq.exe 7 | with command options that suggest a file is being downloaded. Part of the 8 | RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.command_and_control 15 | - attack.t1105 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\certreq.exe' 22 | CommandLine|contains: 23 | - '-post' 24 | - '-config' 25 | - 'http' 26 | - 'get' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_certutil_download.yml: -------------------------------------------------------------------------------- 1 | title: CertUtil Downloading Malicious Binaries 2 | id: 95d670e1-ce19-4269-b101-e12a1bce7c41 3 | status: experimental 4 | description: | 5 | Adversaries often bypass security controls by using the Windows Certificate 6 | Utility (certutil.exe) to download malicious code. In general, they leverage 7 | certutil.exe along with the -split command-line option. Part of the RedCanary 8 | 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.command_and_control 15 | - attack.t1105 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\certutil.exe' 22 | CommandLine|contains|all: 23 | - 'urlcache' 24 | - 'split' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_installer_packages_non_ms_publisher_id.yml: -------------------------------------------------------------------------------- 1 | title: Non-Microsoft App Package Installation Process 2 | id: ca15c3dc-243f-432d-868b-c7694027be21 3 | status: experimental 4 | description: | 5 | Detects app package installation processes where the app is not a Microsoft app 6 | based on the publisher ID. Part of the RedCanary 2024 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/installer-packages/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2024/03/21 11 | tags: 12 | - attack.persistence 13 | - attack.privilege_escalation 14 | - attack.t1546 15 | - attack.t1546.016 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | Image|contains: 22 | - 'C:\Program Files\WindowsApps' 23 | - 'C:\Program Files (x86)\WindowsApps' 24 | filter: 25 | Image|contains: 26 | - '8wekyb3d8bbwe' 27 | - 'cw5n1h2txyewy' 28 | condition: selection and not filter 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_installer_packages_psf_powershell_execution.yml: -------------------------------------------------------------------------------- 1 | title: Package Support Framework (PSF) Advanced Installer Processes 2 | id: 0c5dcf6c-9b6a-4411-a410-9b9b2caaef75 3 | status: experimental 4 | description: | 5 | Detects app package installation processes where legitimate software is included 6 | in an MSIX package, but a malicious PowerShell script may execute beforehand by 7 | employing the Package Support Framework (PSF). In these cases, the MSIX package 8 | includes the malicious script, which is executed as specified in an included 9 | config.json file. Part of the RedCanary 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/techniques/installer-packages/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.persistence 16 | - attack.privilege_escalation 17 | - attack.t1546 18 | - attack.t1546.016 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | Image|endswith: 25 | - '\AI_STUBS\AiStubX64Elevated.exe' 26 | - '\AI_STUBS\AiStubX86Elevated.exe' 27 | - '\AI_STUBS\AiStubX64.exe' 28 | - '\AI_STUBS\AiStubX86.exe' 29 | condition: selection 30 | falsepositives: 31 | - Unknown 32 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_nondepmod_modifying_modules_dep.yml: -------------------------------------------------------------------------------- 1 | title: Non-depmod Process Modifying modules.dep 2 | id: c0bbc749-9ed3-483b-b3ac-7c5732a61fda 3 | status: experimental 4 | description: | 5 | Detects unusual process modifying the modules.dep file. The modules.dep and modules.dep.bin 6 | files should only be modified by the depmod utility. Part of the RedCanary 2024 Threat 7 | Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.persistence 14 | - attack.privilege_escalation 15 | - attack.t1547 16 | - attack.t1547.006 17 | logsource: 18 | product: linux 19 | category: file_event 20 | detection: 21 | selection: 22 | TargetFilename|startswith: '/lib/modules/' 23 | TargetFilename|endswith: 24 | - '/modules.dep' 25 | - '/modules.dep.bin' 26 | filter: 27 | Image|endswith: '/depmod' 28 | condition: selection and not filter 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_shells_modifying_files_in_lkm_directories.yml: -------------------------------------------------------------------------------- 1 | title: Shells Modifying Files in Known Linux Kernel Modules Directories 2 | id: 173fa93c-88ce-4d3f-89de-cfc849a94821 3 | status: experimental 4 | description: | 5 | Detects configuration files being written to specific directories that are searched when 6 | looking for loadable Linux Kernel Modules (LKM). Part of the RedCanary 2024 Threat Detection 7 | Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.persistence 14 | - attack.privilege_escalation 15 | - attack.t1547 16 | - attack.t1547.006 17 | logsource: 18 | product: linux 19 | category: file_event 20 | detection: 21 | selection: 22 | Image|endswith: 23 | - '/bash' 24 | - '/sh' 25 | - '/dash' 26 | - '/zsh' 27 | TargetFilename|contains: 28 | - '/lib/modules/*/' 29 | - '/etc/modules-load.d/' 30 | - '/lib/modules-load.d/' 31 | - '/usr/lib/modules-load.d/' 32 | - '/usr/local/lib/modules-load.d/' 33 | condition: selection 34 | falsepositives: 35 | - Unknown 36 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_systemd_loading_lkm_insmod.yml: -------------------------------------------------------------------------------- 1 | title: Systemd Loading a Linux Kernel Module Using insmod 2 | id: 6ec5eab7-03aa-4a6b-8562-012f3ddd2c64 3 | status: experimental 4 | description: | 5 | Detects the systemd process running commands that would load a Linux Kernel Modules. Part 6 | of the RedCanary 2024 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2024/03/21 11 | tags: 12 | - attack.persistence 13 | - attack.privilege_escalation 14 | - attack.t1547 15 | - attack.t1547.006 16 | logsource: 17 | product: linux 18 | category: process_creation 19 | detection: 20 | selection: 21 | ParentImage|endswith: '/systemd' 22 | Image|endswith: '/insmod' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_systemd_loading_lkm_modprobe.yml: -------------------------------------------------------------------------------- 1 | title: Systemd Loading a Linux Kernel Module Using modprobe 2 | id: 4d786f58-8222-4047-b635-6432da31bd7c 3 | status: experimental 4 | description: | 5 | Detects the systemd process loading a Linux Kernel Modules using modprobe. Part of the 6 | RedCanary 2024 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2024/03/21 11 | tags: 12 | - attack.persistence 13 | - attack.privilege_escalation 14 | - attack.t1547 15 | - attack.t1547.006 16 | logsource: 17 | product: linux 18 | category: process_creation 19 | detection: 20 | selection1: 21 | ParentImage|endswith: '/systemd' 22 | Image|endswith: '/modprobe' 23 | CommandLine|contains: 24 | - '-a' 25 | - '-af' 26 | - '-fa' 27 | selection2: 28 | CommandLine|re: '^.*modprobe.*\s[a-zA-Z].*$' # looks for commands with an argument that does 29 | # not begin with '-' 30 | condition: all of selection* 31 | falsepositives: 32 | - Unknown 33 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_obfuscation_base64_encoding.yml: -------------------------------------------------------------------------------- 1 | title: Base64 Encoding 2 | id: 027b8851-d448-4a3e-8f2e-698433ba81e3 3 | status: experimental 4 | description: | 5 | If you’re looking to detect malicious use of Base64 encoding, consider monitoring for the 6 | execution of processes like powershell.exe or cmd.exe along with command lines containing 7 | parameters like ToBase64String and FromBase64String. The following simple pseudo-analytic 8 | might help you find malicious obfuscation. Part of the RedCanary 2024 Threat Detection 9 | Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.defense_evasion 16 | - attack.t1027 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | Image|endswith: 23 | - '\cmd.exe' 24 | - '\powershell.exe' 25 | CommandLine|contains: 'base64' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_obfuscation_zipfile_spawning_javascript.yml: -------------------------------------------------------------------------------- 1 | title: ZIP File Spawning JavaScript 2 | id: b99b32f3-aa61-495d-a6a1-2595e1551ba8 3 | status: experimental 4 | description: | 5 | RedCanary detected high volumes of obfuscation this year looking for apparent phishing 6 | schemes where adversaries conceal JavaScript payloads in ZIP files and write them 7 | to the users and temp directories. Part of the RedCanary 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1027 15 | logsource: 16 | category: network_connection 17 | product: windows 18 | detection: 19 | selection: 20 | Image|endswith: '\wscript.exe' 21 | CommandLine|contains|all: 22 | - 'users' 23 | - 'temp' 24 | - '.zip' 25 | - '.js' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_os_cred_dumping_secretsdump_file_modification.yml: -------------------------------------------------------------------------------- 1 | title: SecretsDump File Modification 2 | id: 88de04f6-c443-40ec-a592-72c31a55810b 3 | status: experimental 4 | description: | 5 | Impacket’s SecretsDump utility consistently involves the Windows Service Host 6 | (svchost.exe) writing randomly named .tmp files to the System32 directory. The 7 | following pseudo-detector should offer defenders a reliable method of detecting 8 | Impacket's SecretsDump utility. Part of the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/os-credential-dumping/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.credential_access 15 | - attack.t1003 16 | logsource: 17 | category: image_load 18 | product: windows 19 | detection: 20 | selection: 21 | Image|endswith: '\svchost.exe' 22 | ImageLoaded|endswith: '\regsvc.dll' 23 | # TargetFilename|contains: 'windows\system32' # need to join file creation events on process id 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_powershell_base64_encoding.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Base64 Encoding 2 | id: df33cc09-ea03-4681-bd6c-b8dba7328a84 3 | status: experimental 4 | description: | 5 | This analytic looks for the execution of a process that seems to be 6 | powershell.exe along with a corresponding command line containing the 7 | term base64. Base64 encoding isn’t inherently suspicious, but it’s worth 8 | looking out for in a lot of environments, and the following pseudo-detection 9 | logic can help detect a wide variety of malicious activity. Part of the 10 | RedCanary 2024 Threat Detection Report. 11 | references: 12 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 13 | author: RedCanary, Sigma formatting by Micah Babinski 14 | date: 2024/03/21 15 | tags: 16 | - attack.execution 17 | - attack.t1059 18 | - attack.t1059.001 19 | - attack.defense_evasion 20 | - attack.t1027 21 | logsource: 22 | category: process_creation 23 | product: windows 24 | detection: 25 | selection: 26 | Image|endswith: '\powershell.exe' 27 | CommandLine|contains: 'base64' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_powershell_encoded_command.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell -encodedcommand Switch 2 | id: 2f0c5dcb-71aa-44d7-abc6-dac43f121138 3 | status: experimental 4 | description: | 5 | This detection analytic looks for the execution of powershell.exe with command 6 | lines that include variations of the -encodedcommand argument; PowerShell will 7 | recognize and accept anything from -e onward, and it will show up outside of 8 | the encoded bits. Part of the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.execution 15 | - attack.t1059 16 | - attack.t1059.001 17 | - attack.defense_evasion 18 | - attack.t1027 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | Image|endswith: '\powershell.exe' 25 | CommandLine|contains: 26 | - '-e ' 27 | - '-en ' 28 | - '-enc ' 29 | - '-enco ' 30 | condition: selection 31 | falsepositives: 32 | - Unknown 33 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_powershell_susp_cmdlets.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious PowerShell Cmdlets 2 | id: 33a86fea-add2-42b3-bccb-96285c619933 3 | status: experimental 4 | description: | 5 | Many of our PowerShell detection analytics look for cmdlets, methods, and 6 | switches that may indicate malicious activity. The following analytic is 7 | by no means exhaustive but offers a few valuable examples of suspicious 8 | cmdlets and other oft-abused features to look out for. Part of the 9 | RedCanary 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/techniques/powershell/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.execution 16 | - attack.t1059 17 | - attack.t1059.001 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | detection: 22 | selection: 23 | Image|endswith: '\powershell.exe' 24 | CommandLine|contains: 25 | - '-nop' 26 | - '-noni' 27 | - '-invoke-expression' 28 | - 'iex' 29 | - '.downloadstring' 30 | - 'downloadfile' 31 | condition: selection 32 | falsepositives: 33 | - Unknown 34 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rename_system_utils_powershell_notepad.yml: -------------------------------------------------------------------------------- 1 | title: Unexpected Internal Process Name 2 | id: a6d26b45-14ea-4ee0-901c-3aefc384d3c9 3 | status: experimental 4 | description: | 5 | Detects instances where the powershell process is renamed to notepad for defense evasion. 6 | Part of the RedCanary 2024 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2024/03/21 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1036 14 | - attack.t1036.003 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Image|endswith: '\notepad.exe' 21 | OriginalFileName: 'powershell.exe' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rename_system_utils_unusual_cmdline.yml: -------------------------------------------------------------------------------- 1 | title: Processes Executing with Unusual Command Lines 2 | id: 4108fe33-1d66-4111-a698-53b4ecc15dc4 3 | status: experimental 4 | description: | 5 | Detects powershell command lines used with a process name besides powershell. Part 6 | of the RedCanary 2024 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2024/03/21 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1036 14 | - attack.t1036.003 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | CommandLine|contains: 21 | - 'iex' 22 | - 'invoke-expression' 23 | filter: 24 | Image|endswith: '\powershell.exe' 25 | condition: selection and not filter 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_dllregister_server_function.yml: -------------------------------------------------------------------------------- 1 | title: Application Bypass with DllRegisterServer Function 2 | id: 06c7a5b8-24dc-482c-8203-c674a7e05c56 3 | status: experimental 4 | description: | 5 | DLLs that are designed to be loaded by Regsvr32 are expected to have a 6 | DllRegisterServer export function implemented. Adversaries will often 7 | supply the same DLL to rundll32.exe as well. Executing the DllRegisterServer 8 | export function with rundll32.exe is tradecraft that’s unique to adversary 9 | behavior and is rarely seen in legitimate scenarios. We’ve observed this 10 | behavior in threats including Qbot, Ursnif, and Zloader, to name a few examples. 11 | Part of the RedCanary 2024 Threat Detection Report. 12 | references: 13 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 14 | author: RedCanary, Sigma formatting by Micah Babinski 15 | date: 2024/03/21 16 | tags: 17 | - attack.defense_evasion 18 | - attack.t1218 19 | - attack.t1218.011 20 | logsource: 21 | category: process_creation 22 | product: windows 23 | detection: 24 | selection: 25 | Image|endswith: '\rundll32.exe' 26 | CommandLine|contains: 'DllRegisterServer' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_injection_to_lsass.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 Injection into LSASS 2 | id: c6a45ac1-b909-423b-907b-a9bfde31ab9c 3 | status: experimental 4 | description: | 5 | The following pseudo-detector should help security teams detect instances 6 | where Rundll32 opens a cross process handle into LSASS to collect credentials. 7 | Part of the RedCanary 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1218 15 | - attack.t1218.011 16 | - attack.t1055 17 | logsource: 18 | category: process_access 19 | product: windows 20 | detection: 21 | selection: 22 | SourceImage|endswith: '\rundll32.exe' 23 | TargetImage|endswith: '\lsass.exe' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_no_cmdline.yml: -------------------------------------------------------------------------------- 1 | title: Rundll32 Without a Command Line 2 | id: 0fab2f9d-0c38-4392-802f-09e4f4fef0ed 3 | status: experimental 4 | description: | 5 | Rundll32 does not normally execute without corresponding command-line 6 | arguments and while spawning a child process. Given this, you may want 7 | to alert on the execution of processes that appear to be rundll32.exe 8 | without any command-line arguments , especially when they spawn child 9 | processes or make network connections. Part of the RedCanary 2024 10 | Threat Detection Report. 11 | references: 12 | - https://redcanary.com/threat-detection-report/techniques/rundll32/ 13 | author: RedCanary, Sigma formatting by Micah Babinski 14 | date: 2024/03/21 15 | tags: 16 | - attack.defense_evasion 17 | - attack.t1218 18 | - attack.t1218.011 19 | logsource: 20 | category: network_connection 21 | product: windows 22 | detection: 23 | selection: 24 | ParentImage|endswith: '\rundll32.exe' 25 | ParentCommandLine: null 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_office_product_parent.yml: -------------------------------------------------------------------------------- 1 | title: Office Products Spawning WMI 2 | id: 0c2d39af-2c24-42c4-9bab-35e30ad2aeb8 3 | status: experimental 4 | description: | 5 | It’s almost always malicious when wmic.exe spawns as a child process of Microsoft Office and 6 | similar products. As such, it makes sense to examine the chain of execution and follow-on 7 | activity when this occurs. The following is a non-exhaustive example analytic that will catch 8 | some of this activity. Part of the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.execution 15 | - attack.t1047 16 | - attack.t1204 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | ParentImage|endswith: 23 | - '\winword.exe' 24 | - '\excel.exe' 25 | Image|endswith: '\wmic.exe' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_reconnaissance.yml: -------------------------------------------------------------------------------- 1 | title: WMI Reconnaissance 2 | id: 8a450075-e74f-4b19-9efa-b62a53f85bf8 3 | status: experimental 4 | description: | 5 | Reconnaissance is harder to detect because it looks very similar to normal admin behavior. 6 | Even so, we detect a relatively high volume of adversaries leveraging WMI to quickly gather 7 | domain information such as users, groups, or computers in the domain. The following may help 8 | you detect related activity. Part of the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.execution 15 | - attack.t1047 16 | - attack.discovery 17 | - attack.t1087 18 | - attack.t1087.002 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | Image|endswith: '\wmic.exe' 25 | CommandLine|contains: 26 | - '\ldap' 27 | - 'ntdomain' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_shadowcopy_deletion.yml: -------------------------------------------------------------------------------- 1 | title: WMI Shadow Copy Deletion 2 | id: 1c078d3c-749c-40ce-9400-c2dbad604764 3 | status: experimental 4 | description: | 5 | It’s not uncommon for ransomware operators to leverage WMI to delete volume shadows, 6 | significantly complicating the process for recovering access to encrypted systems and files. 7 | If you want to detect ransomware using WMI to delete shadow copies, consider looking for 8 | wmic.exe execution with command lines including shadowcopy or delete. Part of the RedCanary 9 | 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.execution 16 | - attack.t1047 17 | - attack.impact 18 | - attack.t1490 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | Image|endswith: '\wmic.exe' 25 | CommandLine|contains: 26 | - 'shadowcopy' 27 | - 'delete' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_suspicious_powershell_cmdlets.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious PowerShell Cmdlets - WMI 2 | id: e29d3301-3b64-4305-9e91-8aabfbef2015 3 | status: experimental 4 | description: | 5 | There are numerous default PowerShell cmdlets that allow administrators to leverage WMI via 6 | PowerShell. Both adversaries and administrators use these cmdlets to query the operating 7 | system or execute commands, either locally or remotely. Cmdlets like Get-WMIObject are often 8 | used for reconnaissance. Part of the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.execution 15 | - attack.t1047 16 | - attack.t1059 17 | - attack.t1059.001 18 | logsource: 19 | category: process_creation 20 | product: windows 21 | detection: 22 | selection: 23 | Image|endswith: '\powershell.exe' 24 | CommandLine|contains: 25 | - 'invoke-wmimethod' 26 | - 'invoke-cimmethod' 27 | - 'get-wmiobject' 28 | - 'get-ciminstance' 29 | - 'wmiclass' 30 | condition: selection 31 | falsepositives: 32 | - Unknown 33 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_gamarue_rundll32_cmdline.yml: -------------------------------------------------------------------------------- 1 | title: Gamarue Rundll32.exe Long Commandlines 2 | id: 66fa7a57-1c53-42e1-9e5c-e9a1f5e62784 3 | status: experimental 4 | description: | 5 | Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority 6 | of Gamarue activity we see involves rundll32.exe executing with unusual command lines 7 | that include long filenames with repeating characters and random function names. Part 8 | of the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/threats/gamarue/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.defense_evasion 15 | - attack.t1027 16 | - attack.t1027.010 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | CommandLine|re: .*\S{10,70}\.\S{10,70},\w{16} 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_impacket_secretsdump_execution.yml: -------------------------------------------------------------------------------- 1 | title: Secretsdump.py Execution 2 | id: 1337f1b5-8524-40f7-bf08-b0dec46cb764 3 | status: experimental 4 | description: | 5 | This detection analytic identifies Impacket’s secretsdump.py script on a target host, which is the most common script we have observed 6 | in customer environments. secretsdump.py is remotely run on an adversary’s machine to steal credentials. The command is commonly 7 | executed by svchost.exe, where regsvc.dll is loaded which allows the export of credentials from the registry. The output is redirected 8 | to an eight-character TMP file within the System32 directory. Part of the RedCanary 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/threats/impacket/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.s0357 15 | - attack.credential_access 16 | - attack.t1003 17 | - attack.t1003.003 18 | - attack.t1003.006 19 | logsource: 20 | category: file_event 21 | product: windows 22 | detection: 23 | selection: 24 | Image|endswith: '\svchost.exe' 25 | TargetFilename|re: '^.*:\\windows\\system32\\\w{8}\.tmp$' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_impacket_wmiexec_execution.yml: -------------------------------------------------------------------------------- 1 | title: Wmiexec.py Execution 2 | id: 2968dbf6-77ee-4932-b42b-b453d3ac8915 3 | status: experimental 4 | description: | 5 | This detection analytic looks for wmiprvse.exe spawn cmd.exe with the following command line, 6 | `cmd.exe /Q /c ', ' 1 \\', ' 2 &1`. These strings are specific to the execution of wmiexe.py, 7 | which allows a semi-interactive shell used via WMI. Part of the RedCanary 2024 Threat Detection 8 | Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/threats/impacket/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.s0357 15 | - attack.execution 16 | - attack.t1047 17 | - attack.lateral_movement 18 | - attack.t1021 19 | - attack.t1021.003 20 | logsource: 21 | category: process_creation 22 | product: windows 23 | detection: 24 | selection: 25 | ParentImage|endswith: '\wmiprvse.exe' 26 | Image|endswith: '\cmd.exe' 27 | CommandLine|contains: 28 | - 'cmd.exe /Q /c ' 29 | - ' 1> \\' 30 | - ' 2>&1' 31 | condition: selection 32 | falsepositives: 33 | - Unknown 34 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_mimikatz_kirbi_file.yml: -------------------------------------------------------------------------------- 1 | title: Kerberos .kirbi Ticket Files 2 | id: 8132d811-8314-40bc-9bb0-4bcdc33605e9 3 | status: experimental 4 | description: | 5 | Kerberos ticket files (.kirbi) are of interest to adversaries as they can 6 | contain sensitive data such as NTLM hashes that can be cracked offline. To 7 | perform these attacks, a unique file extension variable is defined within 8 | Mimikatz that designates the default extension as .kirbi. Part of the 9 | RedCanary 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/threats/impacket/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.s0002 16 | - attack.credential_access 17 | - attack.t1558 18 | - attack.t1558.003 19 | logsource: 20 | category: file_event 21 | product: windows 22 | detection: 23 | selection: 24 | TargetFilename|endswith: '.kirbi' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_mimikatz_module_names.yml: -------------------------------------------------------------------------------- 1 | title: Mimikatz Module Names 2 | id: 8628d9d9-3a53-4d2e-b1cf-1d2e606cfd1d 3 | status: experimental 4 | description: | 5 | Identifies processes in which Mimikatz module names are observed as command-line parameters. 6 | Part of the RedCanary 2024 Threat Detection Report. 7 | references: 8 | - https://redcanary.com/threat-detection-report/threats/mimikatz/ 9 | author: RedCanary, Sigma formatting by Micah Babinski 10 | date: 2024/03/21 11 | tags: 12 | - attack.credential_access 13 | - attack.t1003 14 | - attack.s0002 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | CommandLine|contains: 21 | - 'sekurlsa::logonpasswords' 22 | - 'lsadump::sam' 23 | - 'sekurlsa::tickets' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_qbot_mounted_drive_script_execution.yml: -------------------------------------------------------------------------------- 1 | title: Qbot Mounted Drive Script Executions 2 | id: e69d709f-097f-4798-bf9a-aa600fc3249f 3 | status: experimental 4 | description: | 5 | Detects Windows Scripting Host processes (wscript.exe and cscript.exe) that are 6 | invoking the execution of common scripting formats that Red Canary has observed 7 | being used by Qbot—such as .js, .vbs, and .wsf—that are from a logical mounted 8 | drive using the drive letters D: through Z: and that have a child process. Part 9 | of the RedCanary 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/threats/qbot/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.s0650 16 | - attack.execution 17 | - attack.t1059 18 | - attack.t1204 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | ParentImage|endswith: '\explorer.exe' 25 | Image|endswith: 26 | - '\cscript.exe' 27 | - '\wscript.exe' 28 | CommandLine|re: '[d-z]:\.*[js|vbs|wsf]$' 29 | condition: selection 30 | falsepositives: 31 | - Unknown 32 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_raspberry_robin_cmdline_netconn_no_params.yml: -------------------------------------------------------------------------------- 1 | title: Network Connections from the Command Line with no Parameters 2 | id: 1b49c5af-3774-4364-9c49-827fd59417cb 3 | status: experimental 4 | description: | 5 | It is unusual for these processes to attempt network connections with an empty command line, 6 | which can indicate malicious command and control (C2) activity. Part of the RedCanary 2024 7 | Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/threats/raspberry-robin/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.command_and_control 14 | logsource: 15 | category: network_connection 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: 20 | - '\regsvr32.exe' 21 | - '\rundll32.exe' 22 | - '\dllhost.exe' 23 | CommandLine: null 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_raspberry_robin_msiexec_download.yml: -------------------------------------------------------------------------------- 1 | title: Windows Installer (msiexec.exe) Downloading and Executing Packages 2 | id: 2b09f558-14dc-40ac-b962-66386b5785c1 3 | status: experimental 4 | description: | 5 | To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, 6 | it’s essential to take a look at the command line and the URL. Detecting 7 | msiexec.exe making outbound network connections to download and install packages 8 | in the command-line interface will give you the opportunity to examine the 9 | activity and determine if it’s malicious or not. Part of the RedCanary 2024 10 | Threat Detection Report. 11 | references: 12 | - https://redcanary.com/threat-detection-report/threats/raspberry-robin/ 13 | author: RedCanary, Sigma formatting by Micah Babinski 14 | date: 2024/03/21 15 | tags: 16 | - attack.defense_evasion 17 | - attack.t1218 18 | - attack.t1218.007 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection1: 24 | Image|endswith: '\msiexec' 25 | selection2: 26 | CommandLine|contains: 27 | - 'http:' 28 | - 'https:' 29 | selection3: 30 | CommandLine|contains|windash: '/q' 31 | condition: all of selection* 32 | falsepositives: 33 | - Unknown 34 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_smashjacker_appinit_dll_installation.yml: -------------------------------------------------------------------------------- 1 | title: AppInit DLL Installation 2 | id: 65e7b868-ebe9-4e8a-b828-3bd2181bc407 3 | status: experimental 4 | description: | 5 | One persistence mechanism used by some variations of SmashJacker was an AppInit DLL. 6 | It would use a reg.exe command to create appropriate Windows Registry keys for 7 | persistence. Part of the RedCanary 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/threats/smashjacker/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.privilege_escalation 14 | - attack.persistence 15 | - attack.t1546 16 | - attack.t1546.010 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | Image|endswith: '\reg.exe' 23 | CommandLine|contains|all: 24 | - 'add' 25 | - 'AppInit_DLLs' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_smashjacker_web_browser_loading_extension.yml: -------------------------------------------------------------------------------- 1 | title: Web Browser Loading Extension 2 | id: 81f18c2e-640e-411d-93c0-496bb713003c 3 | status: experimental 4 | description: | 5 | During execution, SmashJacker forced Google Chrome or Microsoft Edge to open with 6 | the command line argument --load-extension so a browser extension can install without 7 | user interaction. This analytic will likely uncover additional adware in an environment 8 | and may need tuning to take account for acceptable software installation. Part of the 9 | RedCanary 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/threats/smashjacker/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.persistence 16 | - attack.t1176 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | Image|endswith: 23 | - '\chrome.exe' 24 | - '\msedge.exe' 25 | CommandLine|contains: '--load-extension' 26 | condition: selection 27 | falsepositives: 28 | - Unknown 29 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_socgholish_nltest_domain_trust_enum.yml: -------------------------------------------------------------------------------- 1 | title: Enumerating Domain Trust Relationships with Nltest.exe 2 | id: 3ddc7df5-780a-442a-8d41-269f476ed24a 3 | status: experimental 4 | description: | 5 | Left unchecked, SocGholish may lead to domain discovery. This type of behavior is 6 | often a precursor to ransomware activity, and should be quickly quelled to prevent 7 | further progression of the threat. Part of the RedCanary 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/threats/socgholish/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.discovery 14 | - attack.t1482 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Image|endswith: '\nltest.exe' 21 | CommandLine|contains: 22 | - '/domain_trusts' 23 | - '/all_trusts' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_socgholish_whoami_recon_file_output.yml: -------------------------------------------------------------------------------- 1 | title: Whoami Recon Writing Output to File 2 | id: abcdf274-2fbd-4736-a16b-032fcac54eee 3 | status: experimental 4 | description: | 5 | SocGholish employs several scripted reconnaissance commands. While much of this activity 6 | occurs in memory, one that stands out is the execution of whoami with the output redirected 7 | to a local temp file with the naming convention rad<5-hex-chars>.tmp. Part of the RedCanary 8 | 2024 Threat Detection Report. 9 | references: 10 | - https://redcanary.com/threat-detection-report/threats/socgholish/ 11 | author: RedCanary, Sigma formatting by Micah Babinski 12 | date: 2024/03/21 13 | tags: 14 | - attack.discovery 15 | - attack.t1033 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection: 21 | ParentImage|endswith: '\wscript.exe' 22 | Image|endswith: '\cmd.exe' 23 | CommandLine|contains: 'whoami /all >>' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_ps_startup_folder_persistence.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Startup Folder Persistence 2 | id: 07fce851-4cab-4ea5-880c-daf9d18bb180 3 | status: experimental 4 | description: | 5 | Yellow Cockatoo Windows Startup folder for persistence. Not unique to Yellow Cockatoo, 6 | this detection opportunity is likely to identify persistence mechanisms in multiple 7 | threats. In the context of Yellow Cockatoo, this persistence mechanism eventually 8 | launches the command-line script that leads to the installation of a malicious DLL. Part 9 | of the RedCanary 2024 Threat Detection Report. 10 | references: 11 | - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/ 12 | author: RedCanary, Sigma formatting by Micah Babinski 13 | date: 2024/03/21 14 | tags: 15 | - attack.persistence 16 | - attack.privilege_escalation 17 | - attack.t1547 18 | - attack.t1547.001 19 | logsource: 20 | category: file_event 21 | product: windows 22 | detection: 23 | selection1: 24 | Image|endswith: '\powershell.exe' 25 | TargetFilename|endswith: '.lnk' 26 | selection2: 27 | TargetFilename|contains: 'start menu\programs\startup' 28 | condition: all of selection* 29 | falsepositives: 30 | - Unknown 31 | level: low -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_ps_susp_dotnet_methods.yml: -------------------------------------------------------------------------------- 1 | title: PowerShell Suspicious .NET Methods 2 | id: 016c4ee2-ca34-474b-bfdc-43e017a29b47 3 | status: experimental 4 | description: | 5 | Detects the loading of suspicious .NET methods, seen in PowerShell script load content. This 6 | behavior is not limited to Yellow Cockatoo and can be applied universally for malicious 7 | PowerShell obfuscation attempts. Part of the RedCanary 2024 Threat Detection Report. 8 | references: 9 | - https://redcanary.com/threat-detection-report/threats/yellow-cockatoo/ 10 | author: RedCanary, Sigma formatting by Micah Babinski 11 | date: 2024/03/21 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1140 15 | - attack.t1574 16 | - attack.t1574.013 17 | logsource: 18 | product: windows 19 | category: ps_script 20 | definition: 'Requirements: Script Block Logging must be enabled' 21 | detection: 22 | selection: 23 | ScriptBlockText|contains: 24 | - 'aescryptoserviceprovider' 25 | - 'frombase64string' 26 | - 'user32.dll' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: low -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sigma-Rules 2 | A repository of my own Sigma detection rules. 3 | --------------------------------------------------------------------------------