├── LICENSE
├── general
├── dhcp_calloutdll.yml
├── dns_serverlevelplugindll.yml
├── ghostpack_safetykatz.yml
├── malware_backconnect_ports.yml
├── malware_verclsid_shellcode.yml
├── mimikatz_detection_lsass.yml
├── powershell_exploit_scripts.yml
├── powershell_network_connection.yml
├── powersploit_schtasks.yml
├── quarkspw_filedump.yml
├── rdp_reverse_tunnel.yml
├── rdp_settings_hijack.yml
├── rundll32_net_connections.yml
├── stickykey_like_backdoor.yml
├── susp_driver_load.yml
├── susp_powershell_rundll32.yml
├── susp_prog_location_network_connection.yml
├── susp_reg_persist_explorer_run.yml
├── susp_run_key_img_folder.yml
├── sysinternals_eula_accepted.yml
├── tsclient_filewrite_startup.yml
├── uac_bypass_eventvwr.yml
├── uac_bypass_sdclt.yml
└── win_reg_persistence.yml
└── process_creation
├── graylog
├── powershell_xor_commandline.txt
├── win_cmdkey_recon.txt
├── win_exploit_cve_2015_1641.txt
├── win_exploit_cve_2017_0261.txt
├── win_exploit_cve_2017_11882.txt
├── win_exploit_cve_2017_8759.txt
├── win_hack_rubeus.txt
├── win_lethalhta.txt
├── win_mal_lockergoga.txt
├── win_mal_wannacry.txt
├── win_malware_dridex.txt
├── win_malware_script_dropper.txt
├── win_malware_wannacry.txt
├── win_mavinject_proc_inj.txt
├── win_mshta_spawn_shell.txt
├── win_netsh_fw_add.txt
├── win_netsh_port_fwd.txt
├── win_netsh_port_fwd_3389.txt
├── win_office_shell.txt
├── win_plugx_susp_exe_locations.txt
├── win_possible_applocker_bypass.txt
├── win_powershell_amsi_bypass.txt
├── win_powershell_b64_shellcode.txt
├── win_powershell_download.txt
├── win_powershell_renamed_ps.txt
├── win_powershell_suspicious_parameter_variation.txt
├── win_process_creation_bitsadmin_download.txt
├── win_sdbinst_shim_persistence.txt
├── win_shell_spawn_susp_program.txt
├── win_spn_enum.txt
├── win_susp_calc.txt
├── win_susp_certutil_command.txt
├── win_susp_certutil_encode.txt
├── win_susp_cli_escape.txt
├── win_susp_cmd_http_appdata.txt
├── win_susp_control_dll_load.txt
├── win_susp_csc.txt
├── win_susp_exec_folder.txt
├── win_susp_execution_path.txt
├── win_susp_execution_path_webserver.txt
├── win_susp_gup.txt
├── win_susp_iss_module_install.txt
├── win_susp_mmc_source.txt
├── win_susp_msiexec_web_install.txt
├── win_susp_net_execution.txt
├── win_susp_ntdsutil.txt
├── win_susp_outlook.txt
├── win_susp_ping_hex_ip.txt
├── win_susp_powershell_enc_cmd.txt
├── win_susp_powershell_hidden_b64_cmd.txt
├── win_susp_powershell_parent_combo.txt
├── win_susp_procdump.txt
├── win_susp_process_creations.txt
├── win_susp_prog_location_process_starts.txt
├── win_susp_ps_appdata.txt
├── win_susp_rasdial_activity.txt
├── win_susp_recon_activity.txt
├── win_susp_regsvr32_anomalies.txt
├── win_susp_run_locations.txt
├── win_susp_rundll32_activity.txt
├── win_susp_schtask_creation.txt
├── win_susp_script_execution.txt
├── win_susp_squirrel_lolbin.txt
├── win_susp_svchost.txt
├── win_susp_sysprep_appdata.txt
├── win_susp_sysvol_access.txt
├── win_susp_taskmgr_localsystem.txt
├── win_susp_taskmgr_parent.txt
├── win_susp_tscon_localsystem.txt
├── win_susp_tscon_rdp_redirect.txt
├── win_susp_vssadmin_ntds_activity.txt
├── win_susp_whoami.txt
├── win_susp_wmi_execution.txt
├── win_system_exe_anomaly.txt
├── win_vul_java_remote_debugging.txt
├── win_webshell_detection.txt
├── win_webshell_spawn.txt
├── win_wmi_persistence_script_event_consumer.txt
├── win_wmi_spwns_powershell.txt
└── win_workflow_compiler.txt
└── sigma
├── powershell_xor_commandline.yml
├── win_cmdkey_recon.yml
├── win_exploit_cve_2015_1641.yml
├── win_exploit_cve_2017_0261.yml
├── win_exploit_cve_2017_11882.yml
├── win_exploit_cve_2017_8759.yml
├── win_hack_rubeus.yml
├── win_lethalhta.yml
├── win_mal_lockergoga.yml
├── win_mal_wannacry.yml
├── win_malware_dridex.yml
├── win_malware_script_dropper.yml
├── win_malware_wannacry.yml
├── win_mavinject_proc_inj.yml
├── win_mshta_spawn_shell.yml
├── win_netsh_fw_add.yml
├── win_netsh_port_fwd.yml
├── win_netsh_port_fwd_3389.yml
├── win_office_shell.yml
├── win_plugx_susp_exe_locations.yml
├── win_possible_applocker_bypass.yml
├── win_powershell_amsi_bypass.yml
├── win_powershell_b64_shellcode.yml
├── win_powershell_download.yml
├── win_powershell_renamed_ps.yml
├── win_powershell_suspicious_parameter_variation.yml
├── win_process_creation_bitsadmin_download.yml
├── win_sdbinst_shim_persistence.yml
├── win_shell_spawn_susp_program.yml
├── win_spn_enum.yml
├── win_susp_calc.yml
├── win_susp_certutil_command.yml
├── win_susp_certutil_encode.yml
├── win_susp_cli_escape.yml
├── win_susp_cmd_http_appdata.yml
├── win_susp_control_dll_load.yml
├── win_susp_csc.yml
├── win_susp_exec_folder.yml
├── win_susp_execution_path.yml
├── win_susp_execution_path_webserver.yml
├── win_susp_gup.yml
├── win_susp_iss_module_install.yml
├── win_susp_mmc_source.yml
├── win_susp_msiexec_web_install.yml
├── win_susp_net_execution.yml
├── win_susp_ntdsutil.yml
├── win_susp_outlook.yml
├── win_susp_ping_hex_ip.yml
├── win_susp_powershell_enc_cmd.yml
├── win_susp_powershell_hidden_b64_cmd.yml
├── win_susp_powershell_parent_combo.yml
├── win_susp_procdump.yml
├── win_susp_process_creations.yml
├── win_susp_prog_location_process_starts.yml
├── win_susp_ps_appdata.yml
├── win_susp_rasdial_activity.yml
├── win_susp_recon_activity.yml
├── win_susp_regsvr32_anomalies.yml
├── win_susp_run_locations.yml
├── win_susp_rundll32_activity.yml
├── win_susp_schtask_creation.yml
├── win_susp_script_execution.yml
├── win_susp_squirrel_lolbin.yml
├── win_susp_svchost.yml
├── win_susp_sysprep_appdata.yml
├── win_susp_sysvol_access.yml
├── win_susp_taskmgr_localsystem.yml
├── win_susp_taskmgr_parent.yml
├── win_susp_tscon_localsystem.yml
├── win_susp_tscon_rdp_redirect.yml
├── win_susp_vssadmin_ntds_activity.yml
├── win_susp_whoami.yml
├── win_susp_wmi_execution.yml
├── win_system_exe_anomaly.yml
├── win_vul_java_remote_debugging.yml
├── win_webshell_detection.yml
├── win_webshell_spawn.yml
├── win_wmi_persistence_script_event_consumer.yml
├── win_wmi_spwns_powershell.yml
└── win_workflow_compiler.yml
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/general/dhcp_calloutdll.yml:
--------------------------------------------------------------------------------
1 | title: DHCP Callout DLL installation
2 | status: experimental
3 | description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
4 | references:
5 | - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
6 | - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
7 | - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
8 | date: 2017/05/15
9 | author: PolyLogyx
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1073
13 | - attack.t1112
14 | logsource:
15 | product: win_plgx_extension
16 | catrgory: registry_events
17 | detection:
18 | selection:
19 | action: 'REG_SETVALUE'
20 | target_name:
21 | - '*\Services\DHCPServer\Parameters\CalloutDlls'
22 | - '*\Services\DHCPServer\Parameters\CalloutEnabled'
23 | condition: selection
24 | falsepositives:
25 | - unknown
26 | level: high
27 |
--------------------------------------------------------------------------------
/general/dns_serverlevelplugindll.yml:
--------------------------------------------------------------------------------
1 | ---
2 | action: global
3 | title: DNS ServerLevelPluginDll Install
4 | status: experimental
5 | description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
6 | references:
7 | - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
8 | date: 2017/05/08
9 | author: PolyLogyx
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1073
13 | detection:
14 | condition: 1 of them
15 | falsepositives:
16 | - unknown
17 | level: high
18 | ---
19 | logsource:
20 | product: win_plgx_extension
21 | category: registry_events
22 | detection:
23 | dnsregmod:
24 | action: 'REG_SETVALUE'
25 | target_name: '*\services\DNS\Parameters\ServerLevelPluginDll'
26 | ---
27 | logsource:
28 | category: process_creation
29 | product: win_plgx_extension
30 | detection:
31 | dnsadmin:
32 | cmdline: 'dnscmd.exe /config /serverlevelplugindll *'
--------------------------------------------------------------------------------
/general/ghostpack_safetykatz.yml:
--------------------------------------------------------------------------------
1 | title: Detection of SafetyKatz
2 | status: experimental
3 | description: Detects possible SafetyKatz Behaviour
4 | references:
5 | - https://github.com/GhostPack/SafetyKatz
6 | tags:
7 | - attack.credential_access
8 | - attack.t1003
9 | author: PolyLogyx
10 | date: 2018/07/24
11 | logsource:
12 | product: win_plgx_extension
13 | catrgory: file_events
14 | detection:
15 | selection:
16 | action: 'FILE_CREATE'
17 | target_path: '*\Temp\debug.bin'
18 | condition: selection
19 | falsepositives:
20 | - Unknown
21 | level: high
22 |
--------------------------------------------------------------------------------
/general/malware_backconnect_ports.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Typical Malware Back Connect Ports
2 | status: experimental
3 | description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
4 | references:
5 | - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
6 | author: PolyLogyx
7 | date: 2017/03/19
8 | tags:
9 | - attack.command_and_control
10 | - attack.t1043
11 | logsource:
12 | product: win_plgx_extension
13 | detection:
14 | selection:
15 | action: 'SOCKET_CONNECT'
16 | remote_port:
17 | - '4443'
18 | - '2448'
19 | - '8143'
20 | - '1777'
21 | - '1443'
22 | - '243'
23 | - '65535'
24 | - '13506'
25 | - '3360'
26 | - '200'
27 | - '198'
28 | - '49180'
29 | - '13507'
30 | - '6625'
31 | - '4444'
32 | - '4438'
33 | - '1904'
34 | - '13505'
35 | - '13504'
36 | - '12102'
37 | - '9631'
38 | - '5445'
39 | - '2443'
40 | - '777'
41 | - '13394'
42 | - '13145'
43 | - '12103'
44 | - '5552'
45 | - '3939'
46 | - '3675'
47 | - '666'
48 | - '473'
49 | - '5649'
50 | - '4455'
51 | - '4433'
52 | - '1817'
53 | - '100'
54 | - '65520'
55 | - '1960'
56 | - '1515'
57 | - '743'
58 | - '700'
59 | - '14154'
60 | - '14103'
61 | - '14102'
62 | - '12322'
63 | - '10101'
64 | - '7210'
65 | - '4040'
66 | - '9943'
67 | filter1:
68 | process_name: '*\Program Files*'
69 | filter2:
70 | remote_address:
71 | - '10.*'
72 | - '192.168.*'
73 | - '172.16.*'
74 | - '172.17.*'
75 | - '172.18.*'
76 | - '172.19.*'
77 | - '172.20.*'
78 | - '172.21.*'
79 | - '172.22.*'
80 | - '172.23.*'
81 | - '172.24.*'
82 | - '172.25.*'
83 | - '172.26.*'
84 | - '172.27.*'
85 | - '172.28.*'
86 | - '172.29.*'
87 | - '172.30.*'
88 | - '172.31.*'
89 | - '127.*'
90 | condition: selection and not ( filter1 or filter2 )
91 | falsepositives:
92 | - unknown
93 | level: medium
94 |
--------------------------------------------------------------------------------
/general/malware_verclsid_shellcode.yml:
--------------------------------------------------------------------------------
1 | title: Malware Shellcode in Verclsid Target Process
2 | status: experimental
3 | description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
4 | references:
5 | - https://twitter.com/JohnLaTwC/status/837743453039534080
6 | tags:
7 | - attack.defense_evasion
8 | - attack.privilege_escalation
9 | - attack.t1055
10 | author: PolyLogyx
11 | date: 2017/03/04
12 | logsource:
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | action: 'PROC_OPEN'
17 | target_path: '*\verclsid.exe'
18 | granted_access: '0x1FFFFF'
19 | combination1:
20 | image_path: '*|UNKNOWN(*VBE7.DLL*'
21 | combination2:
22 | src_path: '*\Microsoft Office\\*'
23 | image_path: '*|UNKNOWN*'
24 | condition: selection and 1 of combination*
25 | falsepositives:
26 | - unknown
27 | level: high
28 |
29 |
30 |
--------------------------------------------------------------------------------
/general/mimikatz_detection_lsass.yml:
--------------------------------------------------------------------------------
1 | title: Mimikatz Detection LSASS Access
2 | status: experimental
3 | description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
4 | references:
5 | - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
6 | author: PolyLogyx
7 | tags:
8 | - attack.t1003
9 | - attack.s0002
10 | - attack.credential_access
11 | logsource:
12 | product: win_plgx_extension
13 | detection:
14 | selection:
15 | action: 'PROC_OPEN'
16 | target_path: 'C:\windows\system32\lsass.exe'
17 | granted_access: '0x1410'
18 | condition: selection
19 | falsepositives:
20 | - unknown
21 | level: high
22 |
--------------------------------------------------------------------------------
/general/powershell_exploit_scripts.yml:
--------------------------------------------------------------------------------
1 | title: Malicious PowerShell Commandlet Names
2 | status: experimental
3 | description: Detects the creation of known powershell scripts for exploitation
4 | references:
5 | - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
6 | tags:
7 | - attack.execution
8 | - attack.t1086
9 | author: PolyLogyx
10 | date: 2018/04/07
11 | logsource:
12 | product: win_plgx_extension
13 | detection:
14 | selection:
15 | action: 'FILE_CREATE'
16 | target_path:
17 | - '*\Invoke-DllInjection.ps1'
18 | - '*\Invoke-WmiCommand.ps1'
19 | - '*\Get-GPPPassword.ps1'
20 | - '*\Get-Keystrokes.ps1'
21 | - '*\Get-VaultCredential.ps1'
22 | - '*\Invoke-CredentialInjection.ps1'
23 | - '*\Invoke-Mimikatz.ps1'
24 | - '*\Invoke-NinjaCopy.ps1'
25 | - '*\Invoke-TokenManipulation.ps1'
26 | - '*\Out-Minidump.ps1'
27 | - '*\VolumeShadowCopyTools.ps1'
28 | - '*\Invoke-ReflectivePEInjection.ps1'
29 | - '*\Get-TimedScreenshot.ps1'
30 | - '*\Invoke-UserHunter.ps1'
31 | - '*\Find-GPOLocation.ps1'
32 | - '*\Invoke-ACLScanner.ps1'
33 | - '*\Invoke-DowngradeAccount.ps1'
34 | - '*\Get-ServiceUnquoted.ps1'
35 | - '*\Get-ServiceFilePermission.ps1'
36 | - '*\Get-ServicePermission.ps1'
37 | - '*\Invoke-ServiceAbuse.ps1'
38 | - '*\Install-ServiceBinary.ps1'
39 | - '*\Get-RegAutoLogon.ps1'
40 | - '*\Get-VulnAutoRun.ps1'
41 | - '*\Get-VulnSchTask.ps1'
42 | - '*\Get-UnattendedInstallFile.ps1'
43 | - '*\Get-WebConfig.ps1'
44 | - '*\Get-ApplicationHost.ps1'
45 | - '*\Get-RegAlwaysInstallElevated.ps1'
46 | - '*\Get-Unconstrained.ps1'
47 | - '*\Add-RegBackdoor.ps1'
48 | - '*\Add-ScrnSaveBackdoor.ps1'
49 | - '*\Gupt-Backdoor.ps1'
50 | - '*\Invoke-ADSBackdoor.ps1'
51 | - '*\Enabled-DuplicateToken.ps1'
52 | - '*\Invoke-PsUaCme.ps1'
53 | - '*\Remove-Update.ps1'
54 | - '*\Check-VM.ps1'
55 | - '*\Get-LSASecret.ps1'
56 | - '*\Get-PassHashes.ps1'
57 | - '*\Show-TargetScreen.ps1'
58 | - '*\Port-Scan.ps1'
59 | - '*\Invoke-PoshRatHttp.ps1'
60 | - '*\Invoke-PowerShellTCP.ps1'
61 | - '*\Invoke-PowerShellWMI.ps1'
62 | - '*\Add-Exfiltration.ps1'
63 | - '*\Add-Persistence.ps1'
64 | - '*\Do-Exfiltration.ps1'
65 | - '*\Start-CaptureServer.ps1'
66 | - '*\Invoke-ShellCode.ps1'
67 | - '*\Get-ChromeDump.ps1'
68 | - '*\Get-ClipboardContents.ps1'
69 | - '*\Get-FoxDump.ps1'
70 | - '*\Get-IndexedItem.ps1'
71 | - '*\Get-Screenshot.ps1'
72 | - '*\Invoke-Inveigh.ps1'
73 | - '*\Invoke-NetRipper.ps1'
74 | - '*\Invoke-EgressCheck.ps1'
75 | - '*\Invoke-PostExfil.ps1'
76 | - '*\Invoke-PSInject.ps1'
77 | - '*\Invoke-RunAs.ps1'
78 | - '*\MailRaider.ps1'
79 | - '*\New-HoneyHash.ps1'
80 | - '*\Set-MacAttribute.ps1'
81 | - '*\Invoke-DCSync.ps1'
82 | - '*\Invoke-PowerDump.ps1'
83 | - '*\Exploit-Jboss.ps1'
84 | - '*\Invoke-ThunderStruck.ps1'
85 | - '*\Invoke-VoiceTroll.ps1'
86 | - '*\Set-Wallpaper.ps1'
87 | - '*\Invoke-InveighRelay.ps1'
88 | - '*\Invoke-PsExec.ps1'
89 | - '*\Invoke-SSHCommand.ps1'
90 | - '*\Get-SecurityPackages.ps1'
91 | - '*\Install-SSP.ps1'
92 | - '*\Invoke-BackdoorLNK.ps1'
93 | - '*\PowerBreach.ps1'
94 | - '*\Get-SiteListPassword.ps1'
95 | - '*\Get-System.ps1'
96 | - '*\Invoke-BypassUAC.ps1'
97 | - '*\Invoke-Tater.ps1'
98 | - '*\Invoke-WScriptBypassUAC.ps1'
99 | - '*\PowerUp.ps1'
100 | - '*\PowerView.ps1'
101 | - '*\Get-RickAstley.ps1'
102 | - '*\Find-Fruit.ps1'
103 | - '*\HTTP-Login.ps1'
104 | - '*\Find-TrustedDocuments.ps1'
105 | - '*\Invoke-Paranoia.ps1'
106 | - '*\Invoke-WinEnum.ps1'
107 | - '*\Invoke-ARPScan.ps1'
108 | - '*\Invoke-PortScan.ps1'
109 | - '*\Invoke-ReverseDNSLookup.ps1'
110 | - '*\Invoke-SMBScanner.ps1'
111 | - '*\Invoke-Mimikittenz.ps1'
112 | condition: selection
113 | falsepositives:
114 | - Penetration Tests
115 | level: high
116 |
117 |
--------------------------------------------------------------------------------
/general/powershell_network_connection.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Network Connections
2 | status: experimental
3 | description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"
4 | author: PolyLogyx
5 | references:
6 | - https://www.youtube.com/watch?v=DLtJTxMWZ2o
7 | tags:
8 | - attack.execution
9 | - attack.t1086
10 | logsource:
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | action: 'SOCKET_CONNECT'
15 | process_name: '*\powershell.exe'
16 | filter:
17 | remote_address:
18 | - '10.*'
19 | - '192.168.*'
20 | - '172.16.*'
21 | - '172.17.*'
22 | - '172.18.*'
23 | - '172.19.*'
24 | - '172.20.*'
25 | - '172.21.*'
26 | - '172.22.*'
27 | - '172.23.*'
28 | - '172.24.*'
29 | - '172.25.*'
30 | - '172.26.*'
31 | - '172.27.*'
32 | - '172.28.*'
33 | - '172.29.*'
34 | - '172.30.*'
35 | - '172.31.*'
36 | - '127.0.0.1'
37 | owner_uid: 'NT AUTHORITY\SYSTEM'
38 | condition: selection and not filter
39 | falsepositives:
40 | - Administrative scripts
41 | level: low
42 |
--------------------------------------------------------------------------------
/general/powersploit_schtasks.yml:
--------------------------------------------------------------------------------
1 | title: Default PowerSploit Schtasks Persistence
2 | status: experimental
3 | description: Detects the creation of a schtask via PowerSploit Default Configuration
4 | references:
5 | - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
6 | author: PolyLogyx
7 | date: 2018/03/06
8 | logsource:
9 | product: win_plgx_extension
10 | detection:
11 | selection:
12 | parent_path:
13 | - '*\Powershell.exe'
14 | cmdline:
15 | - '*\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*'
16 | - '*\schtasks.exe*/Create*/RU*system*/SC*DAILY*'
17 | - '*\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*'
18 | - '*\schtasks.exe*/Create*/RU*system*/SC*HOURLY*'
19 | condition: selection
20 | tags:
21 | - attack.execution
22 | - attack.persistence
23 | - attack.privilege_escalation
24 | - attack.t1053
25 | - attack.t1086
26 | - attack.s0111
27 | - attack.g0022
28 | - attack.g0060
29 | falsepositives:
30 | - False positives are possible, depends on organisation and processes
31 | level: high
32 |
--------------------------------------------------------------------------------
/general/quarkspw_filedump.yml:
--------------------------------------------------------------------------------
1 | title: QuarksPwDump Dump File
2 | status: experimental
3 | description: Detects a dump file written by QuarksPwDump password dumper
4 | references:
5 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
6 | author: PolyLogyx
7 | date: 2018/02/10
8 | tags:
9 | - attack.credential_access
10 | - attack.t1003
11 | level: critical
12 | logsource:
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | action: 'FILE_CREATE'
17 | target_path: '*\AppData\Local\Temp\SAM-*.dmp*'
18 | condition: selection
19 | falsepositives:
20 | - Unknown
21 |
22 |
--------------------------------------------------------------------------------
/general/rdp_reverse_tunnel.yml:
--------------------------------------------------------------------------------
1 | title: RDP over Reverse SSH Tunnel
2 | status: experimental
3 | description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
4 | references:
5 | - https://twitter.com/SBousseaden/status/1096148422984384514
6 | author: PolyLogyx
7 | date: 2019/02/16
8 | tags:
9 | - attack.defense_evasion
10 | - attack.command_and_control
11 | - attack.t1076
12 | logsource:
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | action: 'SOCKET_CONNECT'
17 | process_name: '*\svchost.exe'
18 | src_port: 3389
19 | dst_address:
20 | - '127.*'
21 | - '::1'
22 | condition: selection
23 | falsepositives:
24 | - unknown
25 | level: high
--------------------------------------------------------------------------------
/general/rdp_settings_hijack.yml:
--------------------------------------------------------------------------------
1 | title: RDP Sensitive Settings Changed
2 | description: Detects changes to RDP terminal service sensitive settings
3 | references:
4 | - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
5 | date: 2019/04/03
6 | author: PolyLogyx
7 | logsource:
8 | product: win_plgx_extension
9 | detection:
10 | selection_reg:
11 | action: 'REG_SETVALUE'
12 | target_name:
13 | - '*\services\TermService\Parameters\ServiceDll*'
14 | - '*\Control\Terminal Server\fSingleSessionPerUser*'
15 | - '*\Control\Terminal Server\fDenyTSConnections*'
16 | condition: selection_reg
17 | tags:
18 | - attack.defense_evasion
19 | falsepositives:
20 | - unknown
21 | level: high
22 |
--------------------------------------------------------------------------------
/general/rundll32_net_connections.yml:
--------------------------------------------------------------------------------
1 | title: Rundll32 Internet Connection
2 | status: experimental
3 | description: Detects a rundll32 that communicates with public IP addresses
4 | references:
5 | - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
6 | author: PolyLogyx
7 | date: 2017/11/04
8 | tags:
9 | - attack.t1085
10 | - attack.defense_evasion
11 | - attack.execution
12 | logsource:
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | action: 'SOCKET_CONNECT'
17 | process_name: '*\rundll32.exe'
18 | filter:
19 | remote_address:
20 | - '10.*'
21 | - '192.168.*'
22 | - '172.16.*'
23 | - '172.17.*'
24 | - '172.18.*'
25 | - '172.19.*'
26 | - '172.20.*'
27 | - '172.21.*'
28 | - '172.22.*'
29 | - '172.23.*'
30 | - '172.24.*'
31 | - '172.25.*'
32 | - '172.26.*'
33 | - '172.27.*'
34 | - '172.28.*'
35 | - '172.29.*'
36 | - '172.30.*'
37 | - '172.31.*'
38 | - '127.*'
39 | condition: selection and not filter
40 | falsepositives:
41 | - Communication to other corporate systems that use IP addresses from public address spaces
42 | level: medium
43 |
--------------------------------------------------------------------------------
/general/stickykey_like_backdoor.yml:
--------------------------------------------------------------------------------
1 | ---
2 | action: global
3 | title: Sticky Key Like Backdoor Usage
4 | description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
5 | references:
6 | - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
7 | tags:
8 | - attack.privilege_escalation
9 | - attack.persistence
10 | - attack.t1015
11 | author: PolyLogyx
12 | date: 2018/03/15
13 | detection:
14 | condition: 1 of them
15 | falsepositives:
16 | - Unlikely
17 | level: critical
18 | ---
19 | logsource:
20 | product: win_plgx_extension
21 | detection:
22 | selection_registry:
23 | action: 'REG_SETVALUE'
24 | target_name:
25 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
26 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
27 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
28 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
29 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
30 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
31 | ---
32 | logsource:
33 | category: process_creation
34 | product: win_plgx_extension
35 | detection:
36 | selection_process:
37 | parent_path:
38 | - '*\winlogon.exe'
39 | cmdline:
40 | - '*cmd.exe sethc.exe *'
41 | - '*cmd.exe utilman.exe *'
42 | - '*cmd.exe osk.exe *'
43 | - '*cmd.exe Magnify.exe *'
44 | - '*cmd.exe Narrator.exe *'
45 | - '*cmd.exe DisplaySwitch.exe *'
46 |
--------------------------------------------------------------------------------
/general/susp_driver_load.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Driver Load from Temp
2 | description: Detects a driver load from a temporary directory
3 | author: PolyLogyx
4 | tags:
5 | - attack.persistence
6 | - attack.t1050
7 | logsource:
8 | product: win_plgx_extension
9 | detection:
10 | selection:
11 | image_path: '*\Temp\\*'
12 | condition: selection
13 | falsepositives:
14 | - there is a relevant set of false positives depending on applications in the environment
15 | level: medium
16 |
--------------------------------------------------------------------------------
/general/susp_powershell_rundll32.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Rundll32 Remote Thread Creation
2 | status: experimental
3 | description: Detects PowerShell remote thread creation in Rundll32.exe
4 | author: PolyLogyx
5 | references:
6 | - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
7 | date: 2018/06/25
8 | logsource:
9 | product: win_plgx_extension
10 | detection:
11 | selection:
12 | action: 'PROC_OPEN'
13 | src_path: '*\powershell.exe'
14 | target_path: '*\rundll32.exe'
15 | condition: selection
16 | tags:
17 | - attack.defense_evasion
18 | - attack.execution
19 | - attack.t1085
20 | - attack.t1086
21 | falsepositives:
22 | - Unkown
23 | level: high
24 |
--------------------------------------------------------------------------------
/general/susp_prog_location_network_connection.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Program Location with Network Connections
2 | status: experimental
3 | description: Detects programs with network connections running in suspicious files system locations
4 | references:
5 | - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
6 | author: PolyLogyx
7 | date: 2017/03/19
8 | logsource:
9 | product: win_plgx_extension
10 | definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
11 | detection:
12 | selection:
13 | action: 'SOCKET_CONNECT'
14 | process_name:
15 | # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
16 | - '*\$Recycle.bin'
17 | - '*\Users\All Users\\*'
18 | - '*\Users\Default\\*'
19 | - '*\Users\Public\\*'
20 | - 'C:\Perflogs\\*'
21 | - '*\config\systemprofile\\*'
22 | - '*\Windows\Fonts\\*'
23 | - '*\Windows\IME\\*'
24 | - '*\Windows\addins\\*'
25 | condition: selection
26 | falsepositives:
27 | - unknown
28 | level: high
29 |
--------------------------------------------------------------------------------
/general/susp_reg_persist_explorer_run.yml:
--------------------------------------------------------------------------------
1 | title: Registry Persistence via Explorer Run Key
2 | status: experimental
3 | description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder
4 | author: PolyLogyx
5 | date: 2018/07/18
6 | references:
7 | - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
8 | logsource:
9 | product: win_plgx_extension
10 | detection:
11 | selection:
12 | action: 'REG_SETVALUE'
13 | target_name: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
14 | value_data:
15 | - 'C:\Windows\Temp\\*'
16 | - 'C:\ProgramData\\*'
17 | - '*\AppData\\*'
18 | - 'C:\$Recycle.bin\\*'
19 | - 'C:\Temp\\*'
20 | - 'C:\Users\Public\\*'
21 | - 'C:\Users\Default\\*'
22 | condition: selection
23 | tags:
24 | - attack.persistence
25 | - attack.t1060
26 | - capec.270
27 | falsepositives:
28 | - Unknown
29 | level: high
30 |
31 |
--------------------------------------------------------------------------------
/general/susp_run_key_img_folder.yml:
--------------------------------------------------------------------------------
1 | title: New RUN Key Pointing to Suspicious Folder
2 | status: experimental
3 | description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
4 | references:
5 | - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
6 | author: PolyLogyx
7 | tags:
8 | - attack.persistence
9 | - attack.t1060
10 | date: 2018/25/08
11 | logsource:
12 | product: win_plgx_extension
13 | detection:
14 | selection:
15 | action: 'REG_SETVALUE'
16 | target_name:
17 | - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
18 | - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
19 | value_data:
20 | - 'C:\Windows\Temp\\*'
21 | - '*\AppData\\*'
22 | - 'C:\$Recycle.bin\\*'
23 | - 'C:\Temp\\*'
24 | - 'C:\Users\Public\\*'
25 | - 'C:\Users\Default\\*'
26 | - 'C:\Users\Desktop\\*'
27 | condition: selection
28 | falsepositives:
29 | - Software with rare behaviour
30 | level: high
31 |
--------------------------------------------------------------------------------
/general/sysinternals_eula_accepted.yml:
--------------------------------------------------------------------------------
1 | ---
2 | action: global
3 | title: Usage of Sysinternals Tools
4 | status: experimental
5 | description: Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry
6 | references:
7 | - https://twitter.com/Moti_B/status/1008587936735035392
8 | date: 2017/08/28
9 | author: PolyLogyx
10 | detection:
11 | condition: 1 of them
12 | falsepositives:
13 | - Legitimate use of SysInternals tools
14 | - Programs that use the same Registry Key
15 | level: low
16 | ---
17 | logsource:
18 | product: win_plgx_extension
19 | detection:
20 | selection1:
21 | action: 'REG_SETVALUE'
22 | target_name: '*\EulaAccepted'
23 | ---
24 | logsource:
25 | category: process_creation
26 | product: win_plgx_extension
27 | detection:
28 | selection2:
29 | cmdline: '* -accepteula*'
--------------------------------------------------------------------------------
/general/tsclient_filewrite_startup.yml:
--------------------------------------------------------------------------------
1 | title: Hijack legit RDP session to move laterally
2 | status: experimental
3 | description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
4 | date: 2019/02/21
5 | author: PolyLogyx
6 | logsource:
7 | product: win_plgx_extension
8 | detection:
9 | selection:
10 | action: 'FILE_CREATE'
11 | process_name: '*\mstsc.exe'
12 | target_path: '*\Microsoft\Windows\Start Menu\Programs\Startup\*'
13 | condition: selection
14 | falsepositives:
15 | - unknown
16 | level: high
17 |
--------------------------------------------------------------------------------
/general/uac_bypass_eventvwr.yml:
--------------------------------------------------------------------------------
1 | title: UAC Bypass via Event Viewer
2 | status: experimental
3 | description: Detects UAC bypass method using Windows event viewer
4 | references:
5 | - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
6 | - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
7 | author: PolyLogyx
8 | logsource:
9 | product: win_plgx_extension
10 | detection:
11 | methregistry:
12 | action: 'REG_SETVALUE'
13 | target_name: 'HKEY_USERS\\*\mscfile\shell\open\command'
14 | methprocess:
15 | action: 'PROC_CREATE' # Migration to process_creation requires multipart YAML
16 | parent_path: '*\eventvwr.exe'
17 | filterprocess:
18 | path: '*\mmc.exe'
19 | condition: methregistry or ( methprocess and not filterprocess )
20 | tags:
21 | - attack.defense_evasion
22 | - attack.privilege_escalation
23 | - attack.t1088
24 | falsepositives:
25 | - unknown
26 | level: critical
--------------------------------------------------------------------------------
/general/uac_bypass_sdclt.yml:
--------------------------------------------------------------------------------
1 | title: UAC Bypass via sdclt
2 | status: experimental
3 | description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
4 | references:
5 | - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
6 | author: PolyLogyx
7 | logsource:
8 | product: win_plgx_extension
9 | detection:
10 | selection:
11 | action: 'REG_SETVALUE'
12 | target_name: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
13 | condition: selection
14 | tags:
15 | - attack.defense_evasion
16 | - attack.privilege_escalation
17 | - attack.t1088
18 | falsepositives:
19 | - unknown
20 | level: high
21 |
22 |
--------------------------------------------------------------------------------
/general/win_reg_persistence.yml:
--------------------------------------------------------------------------------
1 | title: Registry Persistence Mechanisms
2 | description: Detects persistence registry keys
3 | references:
4 | - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
5 | date: 2018/04/11
6 | author: PolyLogyx
7 | logsource:
8 | product: win_plgx_extension
9 | detection:
10 | selection_reg1:
11 | action: 'REG_SETVALUE'
12 | target_name:
13 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
14 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
15 | - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
16 | condition: selection_reg1
17 | tags:
18 | - attack.privilege_escalation
19 | - attack.persistence
20 | - attack.defense_evasion
21 | - attack.t1183
22 | falsepositives:
23 | - unknown
24 | level: critical
25 |
--------------------------------------------------------------------------------
/process_creation/graylog/powershell_xor_commandline.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("* \-bxor*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_cmdkey_recon.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"*\\cmdkey.exe" AND cmdline:"* \/list *")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_exploit_cve_2015_1641.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:"*\\WINWORD.EXE" AND path:"*\\MicroScMgmt.exe ")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_exploit_cve_2017_0261.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:"*\\WINWORD.EXE" AND path:"*\\FLTLDR.exe*")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_exploit_cve_2017_11882.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:"*\\EQNEDT32.EXE")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_exploit_cve_2017_8759.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:"*\\WINWORD.EXE" AND path:"*\\csc.exe")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_hack_rubeus.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("* asreproast *" "* dump \/service\:krbtgt *" "* kerberoast *" "* createnetonly \/program\:*" "* ptt \/ticket\:*" "* \/impersonateuser\:*" "* renew \/ticket\:*" "* asktgt \/user\:*" "* harvest \/interval\:*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_lethalhta.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:"*\\svchost.exe" AND path:"*\\mshta.exe")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_mal_lockergoga.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"* cl Microsoft\-Windows\-WMI\-Activity\/Trace")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_mal_wannacry.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (cmdline:("*vssadmin delete shadows*" "*icacls * \/grant Everyone\:F \/T \/C \/Q*" "*bcdedit \/set \{default\} recoveryenabled no*" "*wbadmin delete catalog \-quiet*") OR path:("*\\tasksche.exe" "*\\mssecsvc.exe" "*\\taskdl.exe" "*\\WanaDecryptor*" "*\\taskhsvc.exe" "*\\taskse.exe" "*\\111.exe" "*\\lhdfrgui.exe" "*\\diskpart.exe" "*\\linuxnew.exe" "*\\wannacry.exe")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_malware_dridex.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (cmdline:"*\\svchost.exe C\:\\owner_uids\\*\\Desktop\\*" OR (parent_path:"*\\svchost.exe*" AND cmdline:("*whoami.exe \/all" "*net.exe view"))))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_malware_script_dropper.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (path:("*\\wscript.exe" "*\\cscript.exe") AND cmdline:("* C\:\\owner_uids\\*.jse *" "* C\:\\owner_uids\\*.vbe *" "* C\:\\owner_uids\\*.js *" "* C\:\\owner_uids\\*.vba *" "* C\:\\owner_uids\\*.vbs *" "* C\:\\ProgramData\\*.jse *" "* C\:\\ProgramData\\*.vbe *" "* C\:\\ProgramData\\*.js *" "* C\:\\ProgramData\\*.vba *" "* C\:\\ProgramData\\*.vbs *")) AND NOT (parent_path:"*\\winzip*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_malware_wannacry.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (path:("*\\tasksche.exe" "*\\mssecsvc.exe" "*\\taskdl.exe" "*\\@WanaDecryptor@*" "*\\taskhsvc.exe" "*\\taskse.exe" "*\\111.exe" "*\\lhdfrgui.exe" "*\\diskpart.exe" "*\\linuxnew.exe" "*\\wannacry.exe") OR cmdline:("*vssadmin delete shadows*" "*icacls * \/grant Everyone\:F \/T \/C \/Q*" "*bcdedit \/set \{default\} recoveryenabled no*" "*wbadmin delete catalog \-quiet*" "*@Please_Read_Me@.txt*")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_mavinject_proc_inj.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"* \/INJECTRUNNING *")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_mshta_spawn_shell.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (parent_path:"*\\mshta.exe" AND path:("*\\cmd.exe" "*\\powershell.exe" "*\\wscript.exe" "*\\cscript.exe" "*\\sh.exe" "*\\bash.exe" "*\\reg.exe" "*\\regsvr32.exe" "*\\BITSADMIN*")) AND NOT (cmdline:("*\/HP\/HP*" "*\\HP\\HP*")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_netsh_fw_add.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*netsh firewall add*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_netsh_port_fwd.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("netsh interface portproxy add v4tov4 *"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_netsh_port_fwd_3389.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("netsh i* p*=3389 c*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_office_shell.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:("*\\WINWORD.EXE" "*\\EXCEL.EXE" "*\\POWERPNT.exe" "*\\MSPUB.exe" "*\\VISIO.exe" "*\\OUTLOOK.EXE") AND path:("*\\cmd.exe" "*\\powershell.exe" "*\\wscript.exe" "*\\cscript.exe" "*\\sh.exe" "*\\bash.exe" "*\\scrcons.exe" "*\\schtasks.exe" "*\\regsvr32.exe" "*\\hh.exe" "*\\wmic.exe" "*\\mshta.exe" "*\\rundll32.exe" "*\\msiexec.exe" "*\\forfiles.exe" "*\\scriptrunner.exe" "*\\mftrace.exe" "*\\AppVLP.exe" "*\\svchost.exe"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_plugx_susp_exe_locations.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND ((((((((((((path:"*\\CamMute.exe" AND NOT (path:"*\\Lenovo\\Communication Utility\\*")) OR (path:"*\\chrome_frame_helper.exe" AND NOT (path:"*\\Google\\Chrome\\application\\*"))) OR (path:"*\\dvcemumanager.exe" AND NOT (path:"*\\Microsoft Device Emulator\\*"))) OR (path:"*\\Gadget.exe" AND NOT (path:"*\\Windows Media Player\\*"))) OR (path:"*\\hcc.exe" AND NOT (path:"*\\HTML Help Workshop\\*"))) OR (path:"*\\hkcmd.exe" AND NOT (path:("*\\System32\\*" "*\\SysNative\\*" "*\\SysWowo64\\*")))) OR (path:"*\\Mc.exe" AND NOT (path:("*\\Microsoft Visual Studio*" "*\\Microsoft SDK*" "*\\Windows Kit*")))) OR (path:"*\\MsMpEng.exe" AND NOT (path:("*\\Microsoft Security Client\\*" "*\\Windows Defender\\*" "*\\AntiMalware\\*")))) OR (path:"*\\msseces.exe" AND NOT (path:("*\\Microsoft Security Center\\*" "*\\Microsoft Security Client\\*" "*\\Microsoft Security Essentials\\*")))) OR (path:"*\\OInfoP11.exe" AND NOT (path:"*\\Common Files\\Microsoft Shared\\*"))) OR (path:"*\\OleView.exe" AND NOT (path:("*\\Microsoft Visual Studio*" "*\\Microsoft SDK*" "*\\Windows Kit*" "*\\Windows Resource Kit\\*")))) OR (path:"*\\rc.exe" AND NOT (path:("*\\Microsoft Visual Studio*" "*\\Microsoft SDK*" "*\\Windows Kit*" "*\\Windows Resource Kit\\*" "*\\Microsoft.NET\\*")))))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_possible_applocker_bypass.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*\\msdt.exe*" "*\\installutil.exe*" "*\\regsvcs.exe*" "*\\regasm.exe*" "*\\regsvr32.exe*" "*\\msbuild.exe*" "*\\ieexec.exe*" "*\\mshta.exe*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_powershell_amsi_bypass.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*System.Management.Automation.AmsiUtils*") AND cmdline:("*amsiInitFailed*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_powershell_b64_shellcode.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"*AAAAYInlM*" AND cmdline:("*OiCAAAAYInlM*" "*OiJAAAAYInlM*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_powershell_download.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"*\\powershell.exe" AND cmdline:("*new\-object system.net.webclient\).downloadstring\(*" "*new\-object system.net.webclient\).downloadfile\(*" "*new\-object net.webclient\).downloadstring\(*" "*new\-object net.webclient\).downloadfile\(*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_powershell_renamed_ps.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND Description:"Windows PowerShell" AND NOT ((action:"PROC_CREATE" AND (path:("*\\powershell.exe" "*\\powershell_ise.exe") OR Description:"Windows PowerShell ISE"))))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_powershell_suspicious_parameter_variation.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\Powershell.exe") AND cmdline:(" \-windowstyle h " " \-windowstyl h" " \-windowsty h" " \-windowst h" " \-windows h" " \-windo h" " \-wind h" " \-win h" " \-wi h" " \-win h " " \-win hi " " \-win hid " " \-win hidd " " \-win hidde " " \-NoPr " " \-NoPro " " \-NoProf " " \-NoProfi " " \-NoProfil " " \-nonin " " \-nonint " " \-noninte " " \-noninter " " \-nonintera " " \-noninterac " " \-noninteract " " \-noninteracti " " \-noninteractiv " " \-ec " " \-encodedComman " " \-encodedComma " " \-encodedComm " " \-encodedCom " " \-encodedCo " " \-encodedC " " \-encoded " " \-encode " " \-encod " " \-enco " " \-en "))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_process_creation_bitsadmin_download.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\bitsadmin.exe") AND cmdline:("\/transfer"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_sdbinst_shim_persistence.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\sdbinst.exe") AND cmdline:("*\\AppPatch\\*\}.sdb*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_shell_spawn_susp_program.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (parent_path:("*\\mshta.exe" "*\\powershell.exe" "*\\cmd.exe" "*\\rundll32.exe" "*\\cscript.exe" "*\\wscript.exe" "*\\wmiprvse.exe") AND path:("*\\schtasks.exe" "*\\nslookup.exe" "*\\certutil.exe" "*\\bitsadmin.exe" "*\\mshta.exe")) AND NOT (CurrentDirectory:"*\\ccmcache\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_spn_enum.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (path:"*\\setspn.exe" OR Description:"*Query or reset the computer* SPN attribute*") AND cmdline:"*\-q*")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_calc.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (cmdline:"*\\calc.exe *" OR (action:"PROC_CREATE" AND path:"*\\calc.exe" AND NOT (path:"*\\Windows\\Sys*"))))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_certutil_command.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("* \-decode *" "* \/decode *" "* \-decodehex *" "* \/decodehex *" "* \-urlcache *" "* \/urlcache *" "* \-verifyctl *" "* \/verifyctl *" "* \-encode *" "* \/encode *" "*certutil* \-URL*" "*certutil* \/URL*" "*certutil* \-ping*" "*certutil* \/ping*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_certutil_encode.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("certutil \-f \-encode *" "certutil.exe \-f \-encode *" "certutil \-encode \-f *" "certutil.exe \-encode \-f *"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_cli_escape.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("" "\^h\^t\^t\^p" "h\"t\"t\"p"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_cmd_http_appdata.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("cmd.exe \/c *http\:\/\/*%AppData%" "cmd.exe \/c *https\:\/\/*%AppData%"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_control_dll_load.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (parent_path:"*\\System32\\control.exe" AND cmdline:"*\\rundll32.exe *") AND NOT (cmdline:"*Shell32.dll*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_csc.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"*\\csc.exe*" AND parent_path:("*\\wscript.exe" "*\\cscript.exe" "*\\mshta.exe"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_exec_folder.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("C\:\\PerfLogs\\*" "C\:\\$Recycle.bin\\*" "C\:\\Intel\\Logs\\*" "C\:\\owner_uids\\Default\\*" "C\:\\owner_uids\\Public\\*" "C\:\\owner_uids\\NetworkService\\*" "C\:\\Windows\\Fonts\\*" "C\:\\Windows\\Debug\\*" "C\:\\Windows\\Media\\*" "C\:\\Windows\\Help\\*" "C\:\\Windows\\addins\\*" "C\:\\Windows\\repair\\*" "C\:\\Windows\\security\\*" "*\\RSA\\MachineKeys\\*" "C\:\\Windows\\system32\\config\\systemprofile\\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_execution_path.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\$Recycle.bin" "*\\owner_uids\\All owner_uids\\*" "*\\owner_uids\\Default\\*" "*\\owner_uids\\Public\\*" "C\:\\Perflogs\\*" "*\\config\\systemprofile\\*" "*\\Windows\\Fonts\\*" "*\\Windows\\IME\\*" "*\\Windows\\addins\\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_execution_path_webserver.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\wwwroot\\*" "*\\wmpub\\*" "*\\htdocs\\*") AND NOT (path:("*bin\\*" "*\\Tools\\*" "*\\SMSComponent\\*") AND parent_path:("*\\services.exe")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_gup.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"*\\GUP.exe" AND NOT (path:"*\\updater\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_iss_module_install.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*\\APPCMD.EXE install module \/name\:*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_mmc_source.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (parent_path:"*\\mmc.exe" AND path:"*\\cmd.exe") AND NOT (cmdline:"*\\RunCmd.cmd"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_msiexec_web_install.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("* msiexec*\:\\\/\\\/*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_net_execution.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\net.exe" "*\\net1.exe") AND cmdline:("* group*" "* localgroup*" "* user*" "* view*" "* share" "* accounts*" "* use*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_ntdsutil.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"*\\ntdsutil*")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_outlook.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (cmdline:"*EnableUnsafeClientMailRules*" OR (parent_path:"*\\outlook.exe" AND cmdline:"\\\\*\\*.exe")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_ping_hex_ip.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*\\ping.exe 0x*" "*\\ping 0x*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_powershell_enc_cmd.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("* \-e JAB*" "* \-enc JAB*" "* \-encodedcommand JAB*" "* BA\^J e\-") AND NOT (cmdline:"* \-ExecutionPolicy remotesigned *"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_powershell_hidden_b64_cmd.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"*\\powershell.exe" AND cmdline:"* hidden *" AND cmdline:("*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*" "*aXRzYWRtaW4gL3RyYW5zZmVy*" "*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*" "*JpdHNhZG1pbiAvdHJhbnNmZX*" "*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*" "*Yml0c2FkbWluIC90cmFuc2Zlc*" "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*" "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*" "*JGNodW5rX3Npem*" "*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*" "*RjaHVua19zaXpl*" "*Y2h1bmtfc2l6Z*" "*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*" "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*" "*lPLkNvbXByZXNzaW9u*" "*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*" "*SU8uQ29tcHJlc3Npb2*" "*Ty5Db21wcmVzc2lvb*" "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*" "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*" "*lPLk1lbW9yeVN0cmVhb*" "*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*" "*SU8uTWVtb3J5U3RyZWFt*" "*Ty5NZW1vcnlTdHJlYW*" "*4ARwBlAHQAQwBoAHUAbgBrA*" "*5HZXRDaHVua*" "*AEcAZQB0AEMAaAB1AG4Aaw*" "*LgBHAGUAdABDAGgAdQBuAGsA*" "*LkdldENodW5r*" "*R2V0Q2h1bm*" "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*" "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*" "*RIUkVBRF9JTkZPNj*" "*SFJFQURfSU5GTzY0*" "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*" "*VEhSRUFEX0lORk82N*" "*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*" "*cmVhdGVSZW1vdGVUaHJlYW*" "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*" "*NyZWF0ZVJlbW90ZVRocmVhZ*" "*Q3JlYXRlUmVtb3RlVGhyZWFk*" "*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*" "*0AZQBtAG0AbwB2AGUA*" "*1lbW1vdm*" "*AGUAbQBtAG8AdgBlA*" "*bQBlAG0AbQBvAHYAZQ*" "*bWVtbW92Z*" "*ZW1tb3Zl*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_powershell_parent_combo.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (parent_path:("*\\wscript.exe" "*\\cscript.exe") AND path:("*\\powershell.exe")) AND NOT (CurrentDirectory:"*\\Health Service State\\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_procdump.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("* \-ma *") AND cmdline:("* lsass.exe*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_process_creations.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("vssadmin.exe delete shadows*" "vssadmin delete shadows*" "vssadmin create shadow \/for=C\:*" "copy \\?\\GLOBALROOT\\Device\\*\\windows\\ntds\\ntds.dit*" "copy \\?\\GLOBALROOT\\Device\\*\\config\\SAM*" "reg SAVE HKLM\\SYSTEM *" "reg SAVE HKLM\\SAM *" "* sekurlsa\:*" "net localgroup adminstrators * \/add" "net group \"Domain Admins\" * \/ADD \/DOMAIN" "certutil.exe *\-urlcache* http*" "certutil.exe *\-urlcache* ftp*" "netsh advfirewall firewall *\\AppData\\*" "attrib \+S \+H \+R *\\AppData\\*" "schtasks* \/create *\\AppData\\*" "schtasks* \/sc minute*" "*\\Regasm.exe *\\AppData\\*" "*\\Regasm *\\AppData\\*" "*\\bitsadmin* \/transfer*" "*\\certutil.exe * \-decode *" "*\\certutil.exe * \-decodehex *" "*\\certutil.exe \-ping *" "icacls * \/grant Everyone\:F \/T \/C \/Q" "* wmic shadowcopy delete *" "* wbadmin.exe delete catalog \-quiet*" "*\\wscript.exe *.jse" "*\\wscript.exe *.js" "*\\wscript.exe *.vba" "*\\wscript.exe *.vbe" "*\\cscript.exe *.jse" "*\\cscript.exe *.js" "*\\cscript.exe *.vba" "*\\cscript.exe *.vbe" "*\\fodhelper.exe" "*waitfor*\/s*" "*waitfor*\/si persist*" "*remote*\/s*" "*remote*\/c*" "*remote*\/q*" "*AddInProcess*" "* \/stext *" "* \/scomma *" "* \/stab *" "* \/stabular *" "* \/shtml *" "* \/sverhtml *" "* \/sxml *"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_prog_location_process_starts.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\$Recycle.bin" "*\\owner_uids\\Public\\*" "C\:\\Perflogs\\*" "*\\Windows\\Fonts\\*" "*\\Windows\\IME\\*" "*\\Windows\\addins\\*" "*\\Windows\\debug\\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_ps_appdata.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("* \/c powershell*\\AppData\\Local\\*" "* \/c powershell*\\AppData\\Roaming\\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_rasdial_activity.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("rasdial"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_recon_activity.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("net group \"domain admins\" \/domain" "net localgroup administrators"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_regsvr32_anomalies.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND ((path:"*\\regsvr32.exe" AND cmdline:"*\\Temp\\*") OR (path:"*\\regsvr32.exe" AND parent_path:"*\\powershell.exe") OR (path:"*\\regsvr32.exe" AND cmdline:("*\/i\:http* scrobj.dll" "*\/i\:ftp* scrobj.dll")) OR (path:"*\\wscript.exe" AND parent_path:"*\\regsvr32.exe") OR (path:"*\\EXCEL.EXE" AND cmdline:"*..\\..\\..\\Windows\\System32\\regsvr32.exe *")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_run_locations.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*\:\\RECYCLER\\*" "*\:\\SystemVolumeInformation\\*" "%windir%\\Tasks\\*" "%systemroot%\\debug\\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_rundll32_activity.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*\\rundll32.exe* url.dll,*OpenURL *" "*\\rundll32.exe* url.dll,*OpenURLA *" "*\\rundll32.exe* url.dll,*FileProtocolHandler *" "*\\rundll32.exe* zipfldr.dll,*RouteTheCall *" "*\\rundll32.exe* Shell32.dll,*Control_RunDLL *" "*\\rundll32.exe javascript\:*" "* url.dll,*OpenURL *" "* url.dll,*OpenURLA *" "* url.dll,*FileProtocolHandler *" "* zipfldr.dll,*RouteTheCall *" "* Shell32.dll,*Control_RunDLL *" "* javascript\:*" "*.RegisterXLL*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_schtask_creation.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND (path:"*\\schtasks.exe" AND cmdline:"* \/create *") AND NOT (owner_uid:"NT AUTHORITY\\SYSTEM"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_script_execution.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\wscript.exe" "*\\cscript.exe") AND cmdline:("*.jse" "*.vbe" "*.js" "*.vba"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_squirrel_lolbin.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\update.exe") AND cmdline:("*\-\-processStart*.exe*" "*–createShortcut*.exe*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_svchost.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"*\\svchost.exe" AND NOT (parent_path:("*\\services.exe" "*\\MsMpEng.exe" "*\\Mrt.exe")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_sysprep_appdata.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("*\\sysprep.exe *\\AppData\\*" "sysprep.exe *\\AppData\\*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_sysvol_access.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"*\\SYSVOL\\*\\policies\\*")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_taskmgr_localsystem.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND owner_uid:"NT AUTHORITY\\SYSTEM" AND path:"*\\taskmgr.exe")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_taskmgr_parent.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:"*\\taskmgr.exe" AND NOT (path:("resmon.exe" "mmc.exe")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_tscon_localsystem.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND owner_uid:"NT AUTHORITY\\SYSTEM" AND path:"*\\tscon.exe")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_tscon_rdp_redirect.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"* \/dest\:rdp\-tcp\:*")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_vssadmin_ntds_activity.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:("vssadmin.exe Delete Shadows" "vssadmin create shadow \/for=C\:" "copy \\?\\GLOBALROOT\\Device\\*\\windows\\ntds\\ntds.dit" "copy \\?\\GLOBALROOT\\Device\\*\\config\\SAM" "vssadmin delete shadows \/for=C\:" "reg SAVE HKLM\\SYSTEM " "esentutl.exe \/y \/vss *\\ntds.dit*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_whoami.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"whoami")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_susp_wmi_execution.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\wmic.exe") AND cmdline:("*\/NODE\:*process call create *" "* path AntiVirusProduct get *" "* path FirewallProduct get *" "* shadowcopy delete *"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_system_exe_anomaly.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:("*\\svchost.exe" "*\\rundll32.exe" "*\\services.exe" "*\\powershell.exe" "*\\regsvr32.exe" "*\\spoolsv.exe" "*\\lsass.exe" "*\\smss.exe" "*\\csrss.exe" "*\\conhost.exe") AND NOT (path:("*\\System32\\*" "*\\SysWow64\\*")))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_vul_java_remote_debugging.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND cmdline:"*transport=dt_socket,address=*" AND NOT (cmdline:"*address=127.0.0.1*" OR cmdline:"*address=localhost*"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_webshell_detection.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:("*\\apache*" "*\\tomcat*" "*\\w3wp.exe" "*\\php\-cgi.exe" "*\\nginx.exe" "*\\httpd.exe") AND cmdline:("whoami" "net user" "ping \-n" "systeminfo"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_webshell_spawn.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:("*\\w3wp.exe" "*\\httpd.exe" "*\\nginx.exe" "*\\php\-cgi.exe") AND path:("*\\cmd.exe" "*\\sh.exe" "*\\bash.exe" "*\\powershell.exe"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_wmi_persistence_script_event_consumer.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" AND parent_path:"C\:\\Windows\\System32\\svchost.exe")
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_wmi_spwns_powershell.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND parent_path:("*\\wmiprvse.exe") AND path:("*\\powershell.exe"))
2 |
--------------------------------------------------------------------------------
/process_creation/graylog/win_workflow_compiler.txt:
--------------------------------------------------------------------------------
1 | (action:"PROC_CREATE" AND path:"*\\Microsoft.Workflow.Compiler.exe")
2 |
--------------------------------------------------------------------------------
/process_creation/sigma/powershell_xor_commandline.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious XOR Encoded PowerShell Command Line
2 | description: Detects suspicious powershell process which includes bxor command, alternatvide
3 | obfuscation method to b64 encoded commands.
4 | status: experimental
5 | author: PolyLogyx
6 | date: 2018/09/05
7 | tags:
8 | - attack.execution
9 | - attack.t1086
10 | detection:
11 | selection:
12 | cmdline:
13 | - '* -bxor*'
14 | condition: selection
15 | falsepositives:
16 | - unknown
17 | level: medium
18 | logsource:
19 | category: process_creation
20 | product: win_plgx_extension
21 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_cmdkey_recon.yml:
--------------------------------------------------------------------------------
1 | title: Cmdkey Cached Credentials Recon
2 | status: experimental
3 | description: Detects usage of cmdkey to look for cached credentials
4 | references:
5 | - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
6 | - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
7 | author: PolyLogyx
8 | tags:
9 | - attack.credential_access
10 | - attack.t1003
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | path: '*\cmdkey.exe'
17 | cmdline: '* /list *'
18 | condition: selection
19 | falsepositives:
20 | - Legitimate administrative tasks.
21 | level: low
22 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_exploit_cve_2015_1641.yml:
--------------------------------------------------------------------------------
1 | title: Exploit for CVE-2015-1641
2 | status: experimental
3 | description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used
4 | in exploits for CVE-2015-1641
5 | references:
6 | - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
7 | - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
8 | author: PolyLogyx
9 | date: 2018/02/22
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1036
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | parent_path: '*\WINWORD.EXE'
19 | path: '*\MicroScMgmt.exe '
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: critical
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_exploit_cve_2017_0261.yml:
--------------------------------------------------------------------------------
1 | title: Exploit for CVE-2017-0261
2 | status: experimental
3 | description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits
4 | for CVE-2017-0261 and CVE-2017-0262
5 | references:
6 | - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
7 | author: PolyLogyx
8 | date: 2018/02/22
9 | tags:
10 | - attack.defense_evasion
11 | - attack.privilege_escalation
12 | - attack.t1055
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | parent_path: '*\WINWORD.EXE'
19 | path: '*\FLTLDR.exe*'
20 | condition: selection
21 | falsepositives:
22 | - Several false positives identified, check for suspicious file names or locations
23 | (e.g. Temp folders)
24 | level: medium
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_exploit_cve_2017_11882.yml:
--------------------------------------------------------------------------------
1 | title: Droppers exploiting CVE-2017-11882
2 | status: experimental
3 | description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other
4 | sub processes like mshta.exe
5 | references:
6 | - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
7 | - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
8 | author: PolyLogyx
9 | date: 2017/11/23
10 | tags:
11 | - attack.defense_evasion
12 | - attack.t1211
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | parent_path: '*\EQNEDT32.EXE'
19 | condition: selection
20 | falsepositives:
21 | - unknown
22 | level: critical
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_exploit_cve_2017_8759.yml:
--------------------------------------------------------------------------------
1 | title: Exploit for CVE-2017-8759
2 | description: Detects Winword starting uncommon sub process csc.exe as used in exploits
3 | for CVE-2017-8759
4 | references:
5 | - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
6 | - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
7 | tags:
8 | - attack.execution
9 | - attack.t1203
10 | author: PolyLogyx
11 | date: 2017/09/15
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | parent_path: '*\WINWORD.EXE'
18 | path: '*\csc.exe'
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: critical
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_hack_rubeus.yml:
--------------------------------------------------------------------------------
1 | title: Rubeus Hack Tool
2 | description: Detects command line parameters used by Rubeus hack tool
3 | author: PolyLogyx
4 | references:
5 | - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
6 | date: 2018/12/19
7 | tags:
8 | - attack.credential_access
9 | - attack.t1003
10 | - attack.s0005
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | cmdline:
17 | - '* asreproast *'
18 | - '* dump /service:krbtgt *'
19 | - '* kerberoast *'
20 | - '* createnetonly /program:*'
21 | - '* ptt /ticket:*'
22 | - '* /impersonateuser:*'
23 | - '* renew /ticket:*'
24 | - '* asktgt /user:*'
25 | - '* harvest /interval:*'
26 | condition: selection
27 | falsepositives:
28 | - unlikely
29 | level: critical
30 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_lethalhta.yml:
--------------------------------------------------------------------------------
1 | title: MSHTA spwaned by SVCHOST as seen in LethalHTA
2 | status: experimental
3 | description: Detects MSHTA.EXE spwaned by SVCHOST described in report
4 | references:
5 | - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
6 | tags:
7 | - attack.defense_evasion
8 | - attack.execution
9 | - attack.t1170
10 | author: PolyLogyx
11 | date: 2018/06/07
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | parent_path: '*\svchost.exe'
18 | path: '*\mshta.exe'
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: high
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_mal_lockergoga.yml:
--------------------------------------------------------------------------------
1 | title: LockerGoga Ransomware
2 | description: Detects a command that clears the WMI trace log which indicates LockaerGoga
3 | ransomware activity
4 | references:
5 | - https://abuse.io/lockergoga.txt
6 | author: PolyLogyx
7 | date: 2019/03/22
8 | tags:
9 | - attack.execution
10 | - attack.t1064
11 | level: high
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | cmdline: '* cl Microsoft-Windows-WMI-Activity/Trace'
18 | condition: selection
19 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_mal_wannacry.yml:
--------------------------------------------------------------------------------
1 | title: WannaCry Ransomware
2 | description: Detects WannaCry Ransomware Activity
3 | status: experimental
4 | references:
5 | - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
6 | author: PolyLogyx
7 | logsource:
8 | category: process_creation
9 | product: win_plgx_extension
10 | detection:
11 | selection1:
12 | cmdline:
13 | - '*vssadmin delete shadows*'
14 | - '*icacls * /grant Everyone:F /T /C /Q*'
15 | - '*bcdedit /set {default} recoveryenabled no*'
16 | - '*wbadmin delete catalog -quiet*'
17 | selection2:
18 | path:
19 | - '*\tasksche.exe'
20 | - '*\mssecsvc.exe'
21 | - '*\taskdl.exe'
22 | - '*\WanaDecryptor*'
23 | - '*\taskhsvc.exe'
24 | - '*\taskse.exe'
25 | - '*\111.exe'
26 | - '*\lhdfrgui.exe'
27 | - '*\diskpart.exe'
28 | - '*\linuxnew.exe'
29 | - '*\wannacry.exe'
30 | condition: 1 of them
31 | falsepositives:
32 | - Unknown
33 | level: critical
34 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_malware_dridex.yml:
--------------------------------------------------------------------------------
1 | title: Dridex Process Pattern
2 | status: experimental
3 | description: Detects typical Dridex process patterns
4 | references:
5 | - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
6 | author: PolyLogyx
7 | date: 2019/01/10
8 | tags:
9 | - attack.defense_evasion
10 | - attack.privilege_escalation
11 | - attack.t1055
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection1:
17 | cmdline: '*\svchost.exe C:\owner_uids\\*\Desktop\\*'
18 | selection2:
19 | parent_path: '*\svchost.exe*'
20 | cmdline:
21 | - '*whoami.exe /all'
22 | - '*net.exe view'
23 | condition: 1 of them
24 | falsepositives:
25 | - Unlikely
26 | level: critical
27 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_malware_script_dropper.yml:
--------------------------------------------------------------------------------
1 | title: WScript or CScript Dropper
2 | status: experimental
3 | description: Detects wscript/cscript executions of scripts located in user directories
4 | author: PolyLogyx
5 | tags:
6 | - attack.defense_evasion
7 | - attack.execution
8 | - attack.t1064
9 | logsource:
10 | category: process_creation
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | path:
15 | - '*\wscript.exe'
16 | - '*\cscript.exe'
17 | cmdline:
18 | - '* C:\owner_uids\\*.jse *'
19 | - '* C:\owner_uids\\*.vbe *'
20 | - '* C:\owner_uids\\*.js *'
21 | - '* C:\owner_uids\\*.vba *'
22 | - '* C:\owner_uids\\*.vbs *'
23 | - '* C:\ProgramData\\*.jse *'
24 | - '* C:\ProgramData\\*.vbe *'
25 | - '* C:\ProgramData\\*.js *'
26 | - '* C:\ProgramData\\*.vba *'
27 | - '* C:\ProgramData\\*.vbs *'
28 | falsepositive:
29 | parent_path: '*\winzip*'
30 | condition: selection and not falsepositive
31 | falsepositives:
32 | - Winzip
33 | - Other self-extractors
34 | level: high
35 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_malware_wannacry.yml:
--------------------------------------------------------------------------------
1 | title: WannaCry Ransomware via Sysmon
2 | status: experimental
3 | description: Detects WannaCry ransomware activity via Sysmon
4 | references:
5 | - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
6 | author: PolyLogyx
7 | logsource:
8 | category: process_creation
9 | product: win_plgx_extension
10 | detection:
11 | selection1:
12 | path:
13 | - '*\tasksche.exe'
14 | - '*\mssecsvc.exe'
15 | - '*\taskdl.exe'
16 | - '*\@WanaDecryptor@*'
17 | - '*\taskhsvc.exe'
18 | - '*\taskse.exe'
19 | - '*\111.exe'
20 | - '*\lhdfrgui.exe'
21 | - '*\diskpart.exe'
22 | - '*\linuxnew.exe'
23 | - '*\wannacry.exe'
24 | selection2:
25 | cmdline:
26 | - '*vssadmin delete shadows*'
27 | - '*icacls * /grant Everyone:F /T /C /Q*'
28 | - '*bcdedit /set {default} recoveryenabled no*'
29 | - '*wbadmin delete catalog -quiet*'
30 | - '*@Please_Read_Me@.txt*'
31 | condition: 1 of them
32 | falsepositives:
33 | - Diskpart.exe usage to manage partitions on the local hard drive
34 | level: critical
35 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_mavinject_proc_inj.yml:
--------------------------------------------------------------------------------
1 | title: MavInject Process Injection
2 | status: experimental
3 | description: Detects process injection using the signed Windows tool Mavinject32.exe
4 | references:
5 | - https://twitter.com/gN3mes1s/status/941315826107510784
6 | - https://reaqta.com/2017/12/mavinject-microsoft-injector/
7 | - https://twitter.com/Hexacorn/status/776122138063409152
8 | author: PolyLogyx
9 | date: 2018/12/12
10 | tags:
11 | - attack.process_injection
12 | - attack.t1055
13 | - attack.signed_binary_proxy_execution
14 | - attack.t1218
15 | logsource:
16 | category: process_creation
17 | product: win_plgx_extension
18 | detection:
19 | selection:
20 | cmdline: '* /INJECTRUNNING *'
21 | condition: selection
22 | falsepositives:
23 | - unknown
24 | level: critical
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_mshta_spawn_shell.yml:
--------------------------------------------------------------------------------
1 | title: MSHTA Spawning Windows Shell
2 | status: experimental
3 | description: Detects a Windows command line executable started from MSHTA.
4 | references:
5 | - https://www.trustedsec.com/july-2015/malicious-htas/
6 | author: PolyLogyx
7 | logsource:
8 | category: process_creation
9 | product: win_plgx_extension
10 | detection:
11 | selection:
12 | parent_path: '*\mshta.exe'
13 | path:
14 | - '*\cmd.exe'
15 | - '*\powershell.exe'
16 | - '*\wscript.exe'
17 | - '*\cscript.exe'
18 | - '*\sh.exe'
19 | - '*\bash.exe'
20 | - '*\reg.exe'
21 | - '*\regsvr32.exe'
22 | - '*\BITSADMIN*'
23 | filter:
24 | cmdline:
25 | - '*/HP/HP*'
26 | - '*\HP\HP*'
27 | condition: selection and not filter
28 | tags:
29 | - attack.defense_evasion
30 | - attack.execution
31 | - attack.t1170
32 | falsepositives:
33 | - Printer software / driver installations
34 | level: high
35 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_netsh_fw_add.yml:
--------------------------------------------------------------------------------
1 | title: Netsh
2 | description: Allow Incoming Connections by Port or Application on Windows Firewall
3 | references:
4 | - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
5 | - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
6 | date: 2019/01/29
7 | tags:
8 | - attack.lateral_movement
9 | - attack.command_and_control
10 | - attack.t1090
11 | status: experimental
12 | author: PolyLogyx
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | cmdline:
19 | - '*netsh firewall add*'
20 | condition: selection
21 | falsepositives:
22 | - Legitimate administration
23 | level: medium
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_netsh_port_fwd.yml:
--------------------------------------------------------------------------------
1 | title: Netsh Port Forwarding
2 | description: Detects netsh commands that configure a port forwarding
3 | references:
4 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
5 | date: 2019/01/29
6 | tags:
7 | - attack.lateral_movement
8 | - attack.command_and_control
9 | - attack.t1090
10 | status: experimental
11 | author: PolyLogyx
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | cmdline:
18 | - netsh interface portproxy add v4tov4 *
19 | condition: selection
20 | falsepositives:
21 | - Legitimate administration
22 | level: medium
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_netsh_port_fwd_3389.yml:
--------------------------------------------------------------------------------
1 | title: Netsh RDP Port Forwarding
2 | description: Detects netsh commands that configure a port forwarding of port 3389
3 | used for RDP
4 | references:
5 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
6 | date: 2019/01/29
7 | tags:
8 | - attack.lateral_movement
9 | - attack.t1021
10 | status: experimental
11 | author: PolyLogyx
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | cmdline:
18 | - netsh i* p*=3389 c*
19 | condition: selection
20 | falsepositives:
21 | - Legitimate administration
22 | level: high
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_office_shell.yml:
--------------------------------------------------------------------------------
1 | title: Microsoft Office Product Spawning Windows Shell
2 | status: experimental
3 | description: Detects a Windows command line executable started from Microsoft Word,
4 | Excel, Powerpoint, Publisher and Visio.
5 | references:
6 | - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
7 | - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
8 | tags:
9 | - attack.execution
10 | - attack.defense_evasion
11 | - attack.t1059
12 | - attack.t1202
13 | author: PolyLogyx
14 | date: 2018/04/06
15 | logsource:
16 | category: process_creation
17 | product: win_plgx_extension
18 | detection:
19 | selection:
20 | parent_path:
21 | - '*\WINWORD.EXE'
22 | - '*\EXCEL.EXE'
23 | - '*\POWERPNT.exe'
24 | - '*\MSPUB.exe'
25 | - '*\VISIO.exe'
26 | - '*\OUTLOOK.EXE'
27 | path:
28 | - '*\cmd.exe'
29 | - '*\powershell.exe'
30 | - '*\wscript.exe'
31 | - '*\cscript.exe'
32 | - '*\sh.exe'
33 | - '*\bash.exe'
34 | - '*\scrcons.exe'
35 | - '*\schtasks.exe'
36 | - '*\regsvr32.exe'
37 | - '*\hh.exe'
38 | - '*\wmic.exe'
39 | - '*\mshta.exe'
40 | - '*\rundll32.exe'
41 | - '*\msiexec.exe'
42 | - '*\forfiles.exe'
43 | - '*\scriptrunner.exe'
44 | - '*\mftrace.exe'
45 | - '*\AppVLP.exe'
46 | - '*\svchost.exe'
47 | condition: selection
48 | falsepositives:
49 | - unknown
50 | level: high
51 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_plugx_susp_exe_locations.yml:
--------------------------------------------------------------------------------
1 | title: Executable used by PlugX in Uncommon Location - Sysmon Version
2 | status: experimental
3 | description: Detects the execution of an executable that is typically used by PlugX
4 | for DLL side loading started from an uncommon location
5 | references:
6 | - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
7 | - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
8 | author: PolyLogyx
9 | date: 2017/06/12
10 | tags:
11 | - attack.s0013
12 | - attack.defense_evasion
13 | - attack.t1073
14 | logsource:
15 | category: process_creation
16 | product: win_plgx_extension
17 | detection:
18 | selection_cammute:
19 | path: '*\CamMute.exe'
20 | filter_cammute:
21 | path: '*\Lenovo\Communication Utility\\*'
22 | selection_chrome_frame:
23 | path: '*\chrome_frame_helper.exe'
24 | filter_chrome_frame:
25 | path: '*\Google\Chrome\application\\*'
26 | selection_devemu:
27 | path: '*\dvcemumanager.exe'
28 | filter_devemu:
29 | path: '*\Microsoft Device Emulator\\*'
30 | selection_gadget:
31 | path: '*\Gadget.exe'
32 | filter_gadget:
33 | path: '*\Windows Media Player\\*'
34 | selection_hcc:
35 | path: '*\hcc.exe'
36 | filter_hcc:
37 | path: '*\HTML Help Workshop\\*'
38 | selection_hkcmd:
39 | path: '*\hkcmd.exe'
40 | filter_hkcmd:
41 | path:
42 | - '*\System32\\*'
43 | - '*\SysNative\\*'
44 | - '*\SysWowo64\\*'
45 | selection_mc:
46 | path: '*\Mc.exe'
47 | filter_mc:
48 | path:
49 | - '*\Microsoft Visual Studio*'
50 | - '*\Microsoft SDK*'
51 | - '*\Windows Kit*'
52 | selection_msmpeng:
53 | path: '*\MsMpEng.exe'
54 | filter_msmpeng:
55 | path:
56 | - '*\Microsoft Security Client\\*'
57 | - '*\Windows Defender\\*'
58 | - '*\AntiMalware\\*'
59 | selection_msseces:
60 | path: '*\msseces.exe'
61 | filter_msseces:
62 | path:
63 | - '*\Microsoft Security Center\\*'
64 | - '*\Microsoft Security Client\\*'
65 | - '*\Microsoft Security Essentials\\*'
66 | selection_oinfo:
67 | path: '*\OInfoP11.exe'
68 | filter_oinfo:
69 | path: '*\Common Files\Microsoft Shared\\*'
70 | selection_oleview:
71 | path: '*\OleView.exe'
72 | filter_oleview:
73 | path:
74 | - '*\Microsoft Visual Studio*'
75 | - '*\Microsoft SDK*'
76 | - '*\Windows Kit*'
77 | - '*\Windows Resource Kit\\*'
78 | selection_rc:
79 | path: '*\rc.exe'
80 | filter_rc:
81 | path:
82 | - '*\Microsoft Visual Studio*'
83 | - '*\Microsoft SDK*'
84 | - '*\Windows Kit*'
85 | - '*\Windows Resource Kit\\*'
86 | - '*\Microsoft.NET\\*'
87 | condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame
88 | and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu
89 | ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not
90 | filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc
91 | and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces
92 | and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or (
93 | selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc
94 | )
95 | falsepositives:
96 | - Unknown
97 | level: high
98 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_possible_applocker_bypass.yml:
--------------------------------------------------------------------------------
1 | title: Possible Applocker Bypass
2 | description: Detects execution of executables that can be used to bypass Applocker
3 | whitelisting
4 | status: experimental
5 | references:
6 | - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
7 | - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
8 | author: PolyLogyx
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1118
12 | - attack.t1121
13 | - attack.t1127
14 | - attack.t1170
15 | logsource:
16 | category: process_creation
17 | product: win_plgx_extension
18 | detection:
19 | selection:
20 | cmdline:
21 | - '*\msdt.exe*'
22 | - '*\installutil.exe*'
23 | - '*\regsvcs.exe*'
24 | - '*\regasm.exe*'
25 | - '*\regsvr32.exe*'
26 | - '*\msbuild.exe*'
27 | - '*\ieexec.exe*'
28 | - '*\mshta.exe*'
29 | condition: selection
30 | falsepositives:
31 | - False positives depend on scripts and administrative tools used in the monitored
32 | environment
33 | - Using installutil to add features for .NET applications (primarly would occur
34 | in developer environments)
35 | level: low
36 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_powershell_amsi_bypass.yml:
--------------------------------------------------------------------------------
1 | title: Powershell AMSI Bypass via .NET Reflection
2 | status: experimental
3 | description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
4 | references:
5 | - https://twitter.com/mattifestation/status/735261176745988096
6 | - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
7 | tags:
8 | - attack.execution
9 | - attack.defense_evasion
10 | - attack.t1086
11 | author: PolyLogyx
12 | date: 2018/08/17
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection1:
18 | cmdline:
19 | - '*System.Management.Automation.AmsiUtils*'
20 | selection2:
21 | cmdline:
22 | - '*amsiInitFailed*'
23 | condition: selection1 and selection2
24 | falsepositives:
25 | - Potential Admin Activity
26 | level: high
27 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_powershell_b64_shellcode.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Base64 Encoded Shellcode
2 | description: Detects Base64 encoded Shellcode
3 | status: experimental
4 | references:
5 | - https://twitter.com/cyb3rops/status/1063072865992523776
6 | author: PolyLogyx
7 | date: 2018/11/17
8 | tags:
9 | - attack.defense_evasion
10 | - attack.t1036
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection1:
16 | cmdline: '*AAAAYInlM*'
17 | selection2:
18 | cmdline:
19 | - '*OiCAAAAYInlM*'
20 | - '*OiJAAAAYInlM*'
21 | condition: selection1 and selection2
22 | falsepositives:
23 | - Unknown
24 | level: critical
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_powershell_download.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Download from URL
2 | status: experimental
3 | description: Detects a Powershell process that contains download commands in its command
4 | line string
5 | author: PolyLogyx
6 | tags:
7 | - attack.t1086
8 | - attack.execution
9 | logsource:
10 | category: process_creation
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | path: '*\powershell.exe'
15 | cmdline:
16 | - '*new-object system.net.webclient).downloadstring(*'
17 | - '*new-object system.net.webclient).downloadfile(*'
18 | - '*new-object net.webclient).downloadstring(*'
19 | - '*new-object net.webclient).downloadfile(*'
20 | condition: selection
21 | falsepositives:
22 | - unknown
23 | level: medium
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_powershell_renamed_ps.yml:
--------------------------------------------------------------------------------
1 | title: Renamed Powershell.exe
2 | status: experimental
3 | description: Detects copying and renaming of powershell.exe before execution (RETEFE
4 | malware DOC/macro starting Sept 2018)
5 | references:
6 | - https://attack.mitre.org/techniques/T1086/
7 | - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/
8 | tags:
9 | - attack.t1086
10 | - attack.execution
11 | author: PolyLogyx
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | Description: Windows PowerShell
18 | exclusion_1:
19 | path:
20 | - '*\powershell.exe'
21 | - '*\powershell_ise.exe'
22 | exclusion_2:
23 | Description: Windows PowerShell ISE
24 | condition: all of selection and not (1 of exclusion_*)
25 | falsepositives:
26 | - penetration tests, red teaming
27 | level: high
28 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_powershell_suspicious_parameter_variation.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious PowerShell Parameter Substring
2 | status: experimental
3 | description: Detects suspicious PowerShell invocation with a parameter substring
4 | references:
5 | - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
6 | tags:
7 | - attack.execution
8 | - attack.t1086
9 | author: PolyLogyx
10 | logsource:
11 | category: process_creation
12 | product: win_plgx_extension
13 | detection:
14 | selection:
15 | path:
16 | - '*\Powershell.exe'
17 | cmdline:
18 | - ' -windowstyle h '
19 | - ' -windowstyl h'
20 | - ' -windowsty h'
21 | - ' -windowst h'
22 | - ' -windows h'
23 | - ' -windo h'
24 | - ' -wind h'
25 | - ' -win h'
26 | - ' -wi h'
27 | - ' -win h '
28 | - ' -win hi '
29 | - ' -win hid '
30 | - ' -win hidd '
31 | - ' -win hidde '
32 | - ' -NoPr '
33 | - ' -NoPro '
34 | - ' -NoProf '
35 | - ' -NoProfi '
36 | - ' -NoProfil '
37 | - ' -nonin '
38 | - ' -nonint '
39 | - ' -noninte '
40 | - ' -noninter '
41 | - ' -nonintera '
42 | - ' -noninterac '
43 | - ' -noninteract '
44 | - ' -noninteracti '
45 | - ' -noninteractiv '
46 | - ' -ec '
47 | - ' -encodedComman '
48 | - ' -encodedComma '
49 | - ' -encodedComm '
50 | - ' -encodedCom '
51 | - ' -encodedCo '
52 | - ' -encodedC '
53 | - ' -encoded '
54 | - ' -encode '
55 | - ' -encod '
56 | - ' -enco '
57 | - ' -en '
58 | condition: selection
59 | falsepositives:
60 | - Penetration tests
61 | level: high
62 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_process_creation_bitsadmin_download.yml:
--------------------------------------------------------------------------------
1 | title: Bitsadmin Download
2 | status: experimental
3 | description: Detects usage of bitsadmin downloading a file
4 | references:
5 | - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
6 | - https://isc.sans.edu/diary/22264
7 | tags:
8 | - attack.defense_evasion
9 | - attack.persistence
10 | - attack.t1197
11 | - attack.s0190
12 | author: PolyLogyx
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | path:
19 | - '*\bitsadmin.exe'
20 | cmdline:
21 | - /transfer
22 | condition: selection
23 | falsepositives:
24 | - Some legitimate apps use this, but limited.
25 | level: medium
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_sdbinst_shim_persistence.yml:
--------------------------------------------------------------------------------
1 | title: Possible Shim Database Persistence via sdbinst.exe
2 | status: experimental
3 | description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\*
4 | references:
5 | - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
6 | tags:
7 | - attack.persistence
8 | - attack.t1138
9 | author: PolyLogyx
10 | date: 2018/08/03
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | path:
17 | - '*\sdbinst.exe'
18 | cmdline:
19 | - '*\AppPatch\\*}.sdb*'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_shell_spawn_susp_program.yml:
--------------------------------------------------------------------------------
1 | title: Windows Shell Spawning Suspicious Program
2 | status: experimental
3 | description: Detects a suspicious child process of a Windows shell
4 | references:
5 | - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
6 | author: PolyLogyx
7 | date: 2018/04/06
8 | modified: 2019/02/05
9 | tags:
10 | - attack.execution
11 | - attack.defense_evasion
12 | - attack.t1064
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | parent_path:
19 | - '*\mshta.exe'
20 | - '*\powershell.exe'
21 | - '*\cmd.exe'
22 | - '*\rundll32.exe'
23 | - '*\cscript.exe'
24 | - '*\wscript.exe'
25 | - '*\wmiprvse.exe'
26 | path:
27 | - '*\schtasks.exe'
28 | - '*\nslookup.exe'
29 | - '*\certutil.exe'
30 | - '*\bitsadmin.exe'
31 | - '*\mshta.exe'
32 | falsepositives:
33 | CurrentDirectory: '*\ccmcache\*'
34 | condition: selection and not falsepositives
35 | falsepositives:
36 | - Administrative scripts
37 | - Microsoft SCCM
38 | level: high
39 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_spn_enum.yml:
--------------------------------------------------------------------------------
1 | title: Possible SPN Enumeration
2 | description: Detects Service Principal Name Enumeration used for Kerberoasting
3 | status: experimental
4 | references:
5 | - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
6 | author: PolyLogyx
7 | date: 2018/11/14
8 | tags:
9 | - attack.credential_access
10 | - attack.t1208
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection_image:
16 | path: '*\setspn.exe'
17 | selection_desc:
18 | Description: '*Query or reset the computer* SPN attribute*'
19 | cmd:
20 | cmdline: '*-q*'
21 | condition: (selection_image or selection_desc) and cmd
22 | falsepositives:
23 | - Administrator Activity
24 | level: medium
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_calc.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Calculator Usage
2 | description: Detects suspicious use of calc.exe with command line parameters or in
3 | a suspicious directory, which is likely caused by some PoC or detection evasion
4 | status: experimental
5 | references:
6 | - https://twitter.com/ItsReallyNick/status/1094080242686312448
7 | author: PolyLogyx
8 | date: 2019/02/09
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1036
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection1:
17 | cmdline: '*\calc.exe *'
18 | selection2:
19 | path: '*\calc.exe'
20 | filter2:
21 | path: '*\Windows\Sys*'
22 | condition: selection1 or ( selection2 and not filter2 )
23 | falsepositives:
24 | - Unknown
25 | level: high
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_certutil_command.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Certutil Command
2 | status: experimental
3 | description: Detects a suspicious Microsoft certutil execution with sub commands like
4 | 'decode' sub command, which is sometimes used to decode malicious code with the
5 | built-in certutil utility
6 | author: PolyLogyx
7 | modified: 2019/01/22
8 | references:
9 | - https://twitter.com/JohnLaTwC/status/835149808817991680
10 | - https://twitter.com/subTee/status/888102593838362624
11 | - https://twitter.com/subTee/status/888071631528235010
12 | - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
13 | - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
14 | - https://twitter.com/egre55/status/1087685529016193025
15 | - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16 | logsource:
17 | category: process_creation
18 | product: win_plgx_extension
19 | detection:
20 | selection:
21 | cmdline:
22 | - '* -decode *'
23 | - '* /decode *'
24 | - '* -decodehex *'
25 | - '* /decodehex *'
26 | - '* -urlcache *'
27 | - '* /urlcache *'
28 | - '* -verifyctl *'
29 | - '* /verifyctl *'
30 | - '* -encode *'
31 | - '* /encode *'
32 | - '*certutil* -URL*'
33 | - '*certutil* /URL*'
34 | - '*certutil* -ping*'
35 | - '*certutil* /ping*'
36 | condition: selection
37 | tags:
38 | - attack.defense_evasion
39 | - attack.t1140
40 | - attack.t1105
41 | - attack.s0189
42 | - attack.g0007
43 | falsepositives:
44 | - False positives depend on scripts and administrative tools used in the monitored
45 | environment
46 | level: high
47 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_certutil_encode.yml:
--------------------------------------------------------------------------------
1 | title: Certutil Encode
2 | status: experimental
3 | description: Detects suspicious a certutil command that used to encode files, which
4 | is sometimes used for data exfiltration
5 | references:
6 | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
7 | - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
8 | author: PolyLogyx
9 | date: 2019/02/24
10 | logsource:
11 | category: process_creation
12 | product: win_plgx_extension
13 | detection:
14 | selection:
15 | cmdline:
16 | - certutil -f -encode *
17 | - certutil.exe -f -encode *
18 | - certutil -encode -f *
19 | - certutil.exe -encode -f *
20 | condition: selection
21 | falsepositives:
22 | - unknown
23 | level: medium
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_cli_escape.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Commandline Escape
2 | description: Detects suspicious process that use escape characters
3 | status: experimental
4 | references:
5 | - https://twitter.com/vysecurity/status/885545634958385153
6 | - https://twitter.com/Hexacorn/status/885553465417756673
7 | - https://twitter.com/Hexacorn/status/885570278637678592
8 | - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
9 | - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
10 | author: PolyLogyx
11 | modified: 2018/12/11
12 | tags:
13 | - attack.defense_evasion
14 | - attack.t1140
15 | logsource:
16 | category: process_creation
17 | product: win_plgx_extension
18 | detection:
19 | selection:
20 | cmdline:
21 | -
22 | - ^h^t^t^p
23 | - h"t"t"p
24 | condition: selection
25 | falsepositives:
26 | - False positives depend on scripts and administrative tools used in the monitored
27 | environment
28 | level: low
29 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_cmd_http_appdata.yml:
--------------------------------------------------------------------------------
1 | title: Command Line Execution with suspicious URL and AppData Strings
2 | status: experimental
3 | description: Detects a suspicious command line execution that includes an URL and
4 | AppData string in the command line parameters as used by several droppers (js/vbs
5 | > powershell)
6 | references:
7 | - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
8 | - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
9 | author: PolyLogyx
10 | tags:
11 | - attack.execution
12 | - attack.t1059
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | cmdline:
19 | - cmd.exe /c *http://*%AppData%
20 | - cmd.exe /c *https://*%AppData%
21 | condition: selection
22 | falsepositives:
23 | - High
24 | level: medium
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_control_dll_load.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Control Panel DLL Load
2 | status: experimental
3 | description: Detects suspicious Rundll32 execution from control.exe as used by Equation
4 | Group and Exploit Kits
5 | author: PolyLogyx
6 | date: 2017/04/15
7 | references:
8 | - https://twitter.com/rikvduijn/status/853251879320662017
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1073
12 | - attack.t1085
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | parent_path: '*\System32\control.exe'
19 | cmdline: '*\rundll32.exe *'
20 | filter:
21 | cmdline: '*Shell32.dll*'
22 | condition: selection and not filter
23 | falsepositives:
24 | - Unknown
25 | level: high
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_csc.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Parent of Csc.exe
2 | description: Detects a suspicious parent of csc.exe, which could by a sign of payload
3 | delivery
4 | status: experimental
5 | references:
6 | - https://twitter.com/SBousseaden/status/1094924091256176641
7 | author: PolyLogyx
8 | date: 2019/02/11
9 | tags:
10 | - attack.defense_evasion
11 | - attack.t1036
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | path: '*\csc.exe*'
18 | parent_path:
19 | - '*\wscript.exe'
20 | - '*\cscript.exe'
21 | - '*\mshta.exe'
22 | condition: selection
23 | falsepositives:
24 | - Unkown
25 | level: high
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_exec_folder.yml:
--------------------------------------------------------------------------------
1 | title: Executables Started in Suspicious Folder
2 | status: experimental
3 | description: Detects process starts of binaries from a suspicious folder
4 | author: PolyLogyx
5 | date: 2017/10/14
6 | modified: 2019/02/21
7 | references:
8 | - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
9 | - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
10 | - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
11 | tags:
12 | - attack.defense_evasion
13 | - attack.t1036
14 | logsource:
15 | category: process_creation
16 | product: win_plgx_extension
17 | detection:
18 | selection:
19 | path:
20 | - C:\PerfLogs\\*
21 | - C:\$Recycle.bin\\*
22 | - C:\Intel\Logs\\*
23 | - C:\owner_uids\Default\\*
24 | - C:\owner_uids\Public\\*
25 | - C:\owner_uids\NetworkService\\*
26 | - C:\Windows\Fonts\\*
27 | - C:\Windows\Debug\\*
28 | - C:\Windows\Media\\*
29 | - C:\Windows\Help\\*
30 | - C:\Windows\addins\\*
31 | - C:\Windows\repair\\*
32 | - C:\Windows\security\\*
33 | - '*\RSA\MachineKeys\\*'
34 | - C:\Windows\system32\config\systemprofile\\*
35 | condition: selection
36 | falsepositives:
37 | - Unknown
38 | level: high
39 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_execution_path.yml:
--------------------------------------------------------------------------------
1 | title: Execution in Non-Executable Folder
2 | status: experimental
3 | description: Detects a suspicious exection from an uncommon folder
4 | author: PolyLogyx
5 | tags:
6 | - attack.defense_evasion
7 | - attack.t1036
8 | logsource:
9 | category: process_creation
10 | product: win_plgx_extension
11 | detection:
12 | selection:
13 | path:
14 | - '*\$Recycle.bin'
15 | - '*\owner_uids\All owner_uids\\*'
16 | - '*\owner_uids\Default\\*'
17 | - '*\owner_uids\Public\\*'
18 | - C:\Perflogs\\*
19 | - '*\config\systemprofile\\*'
20 | - '*\Windows\Fonts\\*'
21 | - '*\Windows\IME\\*'
22 | - '*\Windows\addins\\*'
23 | condition: selection
24 | falsepositives:
25 | - Unknown
26 | level: high
27 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_execution_path_webserver.yml:
--------------------------------------------------------------------------------
1 | title: Execution in Webserver Root Folder
2 | status: experimental
3 | description: Detects a suspicious program execution in a web service root folder (filter
4 | out false positives)
5 | author: PolyLogyx
6 | tags:
7 | - attack.persistence
8 | - attack.t1100
9 | logsource:
10 | category: process_creation
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | path:
15 | - '*\wwwroot\\*'
16 | - '*\wmpub\\*'
17 | - '*\htdocs\\*'
18 | filter:
19 | path:
20 | - '*bin\\*'
21 | - '*\Tools\\*'
22 | - '*\SMSComponent\\*'
23 | parent_path:
24 | - '*\services.exe'
25 | condition: selection and not filter
26 | falsepositives:
27 | - Various applications
28 | - Tools that include ping or nslookup command invocations
29 | level: medium
30 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_gup.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious GUP Usage
2 | description: Detects execution of the Notepad++ updater in a suspicious directory,
3 | which is often used in DLL side-loading attacks
4 | status: experimental
5 | references:
6 | - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1073
10 | author: PolyLogyx
11 | date: 2019/02/06
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | path: '*\GUP.exe'
18 | filter:
19 | path: '*\updater\*'
20 | condition: selection and not filter
21 | falsepositives:
22 | - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
23 | level: high
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_iss_module_install.yml:
--------------------------------------------------------------------------------
1 | title: IIS Native-Code Module Command Line Installation
2 | description: Detects suspicious IIS native-code module installations via command line
3 | status: experimental
4 | references:
5 | - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
6 | author: PolyLogyx
7 | modified: 2012/12/11
8 | tags:
9 | - attack.persistence
10 | - attack.t1100
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | cmdline:
17 | - '*\APPCMD.EXE install module /name:*'
18 | condition: selection
19 | falsepositives:
20 | - Unknown as it may vary from organisation to arganisation how admins use to install
21 | IIS modules
22 | level: medium
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_mmc_source.yml:
--------------------------------------------------------------------------------
1 | title: Processes created by MMC
2 | status: experimental
3 | description: Processes started by MMC could be a sign of lateral movement using MMC
4 | application COM object
5 | references:
6 | - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
7 | tags:
8 | - attack.lateral_movement
9 | - attack.t1175
10 | logsource:
11 | category: process_creation
12 | product: win_plgx_extension
13 | detection:
14 | selection:
15 | parent_path: '*\mmc.exe'
16 | path: '*\cmd.exe'
17 | exclusion:
18 | cmdline: '*\RunCmd.cmd'
19 | condition: selection and not exclusion
20 | falsepositives:
21 | - unknown
22 | level: medium
23 | author: PolyLogyx
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_msiexec_web_install.yml:
--------------------------------------------------------------------------------
1 | title: MsiExec Web Install
2 | status: experimental
3 | description: Detects suspicious msiexec process starts with web addreses as parameter
4 | references:
5 | - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
6 | tags:
7 | - attack.defense_evasion
8 | author: PolyLogyx
9 | date: 2018/02/09
10 | modified: 2012/12/11
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | cmdline:
17 | - '* msiexec*:\/\/*'
18 | condition: selection
19 | falsepositives:
20 | - False positives depend on scripts and administrative tools used in the monitored
21 | environment
22 | level: medium
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_net_execution.yml:
--------------------------------------------------------------------------------
1 | title: Net.exe Execution
2 | status: experimental
3 | description: Detects execution of Net.exe, whether suspicious or benign.
4 | references:
5 | - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
6 | author: PolyLogyx
7 | tags:
8 | - attack.s0039
9 | - attack.lateral_movement
10 | - attack.discovery
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | path:
17 | - '*\net.exe'
18 | - '*\net1.exe'
19 | cmdline:
20 | - '* group*'
21 | - '* localgroup*'
22 | - '* user*'
23 | - '* view*'
24 | - '* share'
25 | - '* accounts*'
26 | - '* use*'
27 | condition: selection
28 | falsepositives:
29 | - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,cmdline
30 | following the search for easy hunting by computer/cmdline.
31 | level: low
32 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_ntdsutil.yml:
--------------------------------------------------------------------------------
1 | title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
2 | description: Detects execution of ntdsutil.exe, which can be used for various attacks
3 | against the NTDS database (NTDS.DIT)
4 | status: experimental
5 | references:
6 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
7 | author: PolyLogyx
8 | tags:
9 | - attack.credential_access
10 | - attack.t1003
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | cmdline: '*\ntdsutil*'
17 | condition: selection
18 | falsepositives:
19 | - NTDS maintenance
20 | level: high
21 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_outlook.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Execution from Outlook
2 | status: experimental
3 | description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
4 | references:
5 | - https://github.com/sensepost/ruler
6 | - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
7 | tags:
8 | - attack.execution
9 | - attack.t1059
10 | - attack.t1202
11 | author: PolyLogyx
12 | date: 2018/12/27
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | clientMailRules:
18 | cmdline: '*EnableUnsafeClientMailRules*'
19 | outlookExec:
20 | parent_path: '*\outlook.exe'
21 | cmdline: \\\\*\\*.exe
22 | condition: clientMailRules or outlookExec
23 | falsepositives:
24 | - unknown
25 | level: high
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_ping_hex_ip.yml:
--------------------------------------------------------------------------------
1 | title: Ping Hex IP
2 | description: Detects a ping command that uses a hex encoded IP address
3 | references:
4 | - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
5 | - https://twitter.com/vysecurity/status/977198418354491392
6 | author: PolyLogyx
7 | date: 2018/03/23
8 | tags:
9 | - attack.defense_evasion
10 | - attack.t1140
11 | - attack.t1027
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | cmdline:
18 | - '*\ping.exe 0x*'
19 | - '*\ping 0x*'
20 | condition: selection
21 | falsepositives:
22 | - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
23 | level: high
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_powershell_enc_cmd.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Encoded PowerShell Command Line
2 | description: Detects suspicious powershell process starts with base64 encoded commands
3 | status: experimental
4 | references:
5 | - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
6 | author: PolyLogyx
7 | date: 2018/09/03
8 | tags:
9 | - attack.execution
10 | - attack.t1086
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | cmdline:
17 | - '* -e JAB*'
18 | - '* -enc JAB*'
19 | - '* -encodedcommand JAB*'
20 | - '* BA^J e-'
21 | falsepositive1:
22 | cmdline: '* -ExecutionPolicy remotesigned *'
23 | condition: selection and not falsepositive1
24 | level: high
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_powershell_hidden_b64_cmd.yml:
--------------------------------------------------------------------------------
1 | title: Malicious Base64 encoded PowerShell Keywords in command lines
2 | status: experimental
3 | description: Detects base64 encoded strings used in hidden malicious PowerShell command
4 | lines
5 | references:
6 | - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
7 | tags:
8 | - attack.execution
9 | - attack.t1086
10 | author: PolyLogyx
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | encoded:
16 | path: '*\powershell.exe'
17 | cmdline: '* hidden *'
18 | selection:
19 | cmdline:
20 | - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
21 | - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
22 | - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
23 | - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
24 | - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
25 | - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
26 | - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
27 | - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
28 | - '*JGNodW5rX3Npem*'
29 | - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
30 | - '*RjaHVua19zaXpl*'
31 | - '*Y2h1bmtfc2l6Z*'
32 | - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
33 | - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
34 | - '*lPLkNvbXByZXNzaW9u*'
35 | - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
36 | - '*SU8uQ29tcHJlc3Npb2*'
37 | - '*Ty5Db21wcmVzc2lvb*'
38 | - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
39 | - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
40 | - '*lPLk1lbW9yeVN0cmVhb*'
41 | - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
42 | - '*SU8uTWVtb3J5U3RyZWFt*'
43 | - '*Ty5NZW1vcnlTdHJlYW*'
44 | - '*4ARwBlAHQAQwBoAHUAbgBrA*'
45 | - '*5HZXRDaHVua*'
46 | - '*AEcAZQB0AEMAaAB1AG4Aaw*'
47 | - '*LgBHAGUAdABDAGgAdQBuAGsA*'
48 | - '*LkdldENodW5r*'
49 | - '*R2V0Q2h1bm*'
50 | - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
51 | - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
52 | - '*RIUkVBRF9JTkZPNj*'
53 | - '*SFJFQURfSU5GTzY0*'
54 | - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
55 | - '*VEhSRUFEX0lORk82N*'
56 | - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
57 | - '*cmVhdGVSZW1vdGVUaHJlYW*'
58 | - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
59 | - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
60 | - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
61 | - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
62 | - '*0AZQBtAG0AbwB2AGUA*'
63 | - '*1lbW1vdm*'
64 | - '*AGUAbQBtAG8AdgBlA*'
65 | - '*bQBlAG0AbQBvAHYAZQ*'
66 | - '*bWVtbW92Z*'
67 | - '*ZW1tb3Zl*'
68 | condition: encoded and selection
69 | falsepositives:
70 | - Penetration tests
71 | level: high
72 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_powershell_parent_combo.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious PowerShell Invocation based on Parent Process
2 | status: experimental
3 | description: Detects suspicious powershell invocations from interpreters or unusual
4 | programs
5 | author: PolyLogyx
6 | references:
7 | - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
8 | tags:
9 | - attack.execution
10 | - attack.t1086
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | parent_path:
17 | - '*\wscript.exe'
18 | - '*\cscript.exe'
19 | path:
20 | - '*\powershell.exe'
21 | falsepositive:
22 | CurrentDirectory: '*\Health Service State\\*'
23 | condition: selection and not falsepositive
24 | falsepositives:
25 | - Microsoft Operations Manager (MOM)
26 | - Other scripts
27 | level: medium
28 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_procdump.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Use of Procdump
2 | description: Detects suspicious uses of the SysInternals Procdump utility by using
3 | a special command line parameter in combination with the lsass.exe process. This
4 | way we're also able to catch cases in which the attacker has renamed the procdump
5 | executable.
6 | status: experimental
7 | references:
8 | - Internal Research
9 | author: PolyLogyx
10 | date: 2018/10/30
11 | tags:
12 | - attack.defense_evasion
13 | - attack.t1036
14 | - attack.credential_access
15 | - attack.t1003
16 | logsource:
17 | category: process_creation
18 | product: win_plgx_extension
19 | detection:
20 | selection1:
21 | cmdline:
22 | - '* -ma *'
23 | selection2:
24 | cmdline:
25 | - '* lsass.exe*'
26 | condition: selection1 and selection2
27 | falsepositives:
28 | - Unlikely, because no one should dump an lsass process memory
29 | - Another tool that uses the command line switches of Procdump
30 | level: medium
31 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_process_creations.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Process Creation
2 | description: Detects suspicious process starts on Windows systems based on keywords
3 | status: experimental
4 | references:
5 | - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
6 | - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
7 | - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
8 | - https://twitter.com/subTee/status/872244674609676288
9 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
10 | - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
11 | - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
12 | - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
13 | - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
14 | - https://twitter.com/vector_sec/status/896049052642533376
15 | - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
16 | author: PolyLogyx
17 | modified: 2018/12/11
18 | logsource:
19 | category: process_creation
20 | product: win_plgx_extension
21 | detection:
22 | selection:
23 | cmdline:
24 | - vssadmin.exe delete shadows*
25 | - vssadmin delete shadows*
26 | - vssadmin create shadow /for=C:*
27 | - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*
28 | - copy \\?\GLOBALROOT\Device\\*\config\SAM*
29 | - reg SAVE HKLM\SYSTEM *
30 | - reg SAVE HKLM\SAM *
31 | - '* sekurlsa:*'
32 | - net localgroup adminstrators * /add
33 | - net group "Domain Admins" * /ADD /DOMAIN
34 | - certutil.exe *-urlcache* http*
35 | - certutil.exe *-urlcache* ftp*
36 | - netsh advfirewall firewall *\AppData\\*
37 | - attrib +S +H +R *\AppData\\*
38 | - schtasks* /create *\AppData\\*
39 | - schtasks* /sc minute*
40 | - '*\Regasm.exe *\AppData\\*'
41 | - '*\Regasm *\AppData\\*'
42 | - '*\bitsadmin* /transfer*'
43 | - '*\certutil.exe * -decode *'
44 | - '*\certutil.exe * -decodehex *'
45 | - '*\certutil.exe -ping *'
46 | - icacls * /grant Everyone:F /T /C /Q
47 | - '* wmic shadowcopy delete *'
48 | - '* wbadmin.exe delete catalog -quiet*'
49 | - '*\wscript.exe *.jse'
50 | - '*\wscript.exe *.js'
51 | - '*\wscript.exe *.vba'
52 | - '*\wscript.exe *.vbe'
53 | - '*\cscript.exe *.jse'
54 | - '*\cscript.exe *.js'
55 | - '*\cscript.exe *.vba'
56 | - '*\cscript.exe *.vbe'
57 | - '*\fodhelper.exe'
58 | - '*waitfor*/s*'
59 | - '*waitfor*/si persist*'
60 | - '*remote*/s*'
61 | - '*remote*/c*'
62 | - '*remote*/q*'
63 | - '*AddInProcess*'
64 | - '* /stext *'
65 | - '* /scomma *'
66 | - '* /stab *'
67 | - '* /stabular *'
68 | - '* /shtml *'
69 | - '* /sverhtml *'
70 | - '* /sxml *'
71 | condition: selection
72 | falsepositives:
73 | - False positives depend on scripts and administrative tools used in the monitored
74 | environment
75 | level: medium
76 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_prog_location_process_starts.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Program Location Process Starts
2 | status: experimental
3 | description: Detects programs running in suspicious files system locations
4 | references:
5 | - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
6 | tags:
7 | - attack.defense_evasion
8 | - attack.t1036
9 | author: PolyLogyx
10 | date: 2019/01/15
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | path:
17 | - '*\$Recycle.bin'
18 | - '*\owner_uids\Public\\*'
19 | - C:\Perflogs\\*
20 | - '*\Windows\Fonts\\*'
21 | - '*\Windows\IME\\*'
22 | - '*\Windows\addins\\*'
23 | - '*\Windows\debug\\*'
24 | condition: selection
25 | falsepositives:
26 | - unknown
27 | level: high
28 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_ps_appdata.yml:
--------------------------------------------------------------------------------
1 | title: PowerShell Script Run in AppData
2 | status: experimental
3 | description: Detects a suspicious command line execution that invokes PowerShell with
4 | reference to an AppData folder
5 | references:
6 | - https://twitter.com/JohnLaTwC/status/1082851155481288706
7 | - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
8 | tags:
9 | - attack.execution
10 | - attack.t1086
11 | author: PolyLogyx
12 | date: 2019/01/09
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | cmdline:
19 | - '* /c powershell*\AppData\Local\\*'
20 | - '* /c powershell*\AppData\Roaming\\*'
21 | condition: selection
22 | falsepositives:
23 | - Administrative scripts
24 | level: medium
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_rasdial_activity.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious RASdial Activity
2 | description: Detects suspicious process related to rasdial.exe
3 | status: experimental
4 | references:
5 | - https://twitter.com/subTee/status/891298217907830785
6 | author: PolyLogyx
7 | tags:
8 | - attack.defense_evasion
9 | - attack.execution
10 | - attack.t1064
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | cmdline:
17 | - rasdial
18 | condition: selection
19 | falsepositives:
20 | - False positives depend on scripts and administrative tools used in the monitored
21 | environment
22 | level: medium
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_recon_activity.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Reconnaissance Activity
2 | status: experimental
3 | description: Detects suspicious command line activity on Windows systems
4 | author: PolyLogyx
5 | tags:
6 | - attack.discovery
7 | - attack.t1087
8 | logsource:
9 | category: process_creation
10 | product: win_plgx_extension
11 | detection:
12 | selection:
13 | cmdline:
14 | - net group "domain admins" /domain
15 | - net localgroup administrators
16 | condition: selection
17 | falsepositives:
18 | - Inventory tool runs
19 | - Penetration tests
20 | - Administrative activity
21 | analysis:
22 | recommendation: Check if the user that executed the commands is suspicious (e.g.
23 | service accounts, LOCAL_SYSTEM)
24 | level: medium
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_regsvr32_anomalies.yml:
--------------------------------------------------------------------------------
1 | title: Regsvr32 Anomaly
2 | status: experimental
3 | description: Detects various anomalies in relation to regsvr32.exe
4 | author: PolyLogyx
5 | references:
6 | - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
7 | tags:
8 | - attack.t1117
9 | - attack.defense_evasion
10 | - attack.execution
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection1:
16 | path: '*\regsvr32.exe'
17 | cmdline: '*\Temp\\*'
18 | selection2:
19 | path: '*\regsvr32.exe'
20 | parent_path: '*\powershell.exe'
21 | selection3:
22 | path: '*\regsvr32.exe'
23 | cmdline:
24 | - '*/i:http* scrobj.dll'
25 | - '*/i:ftp* scrobj.dll'
26 | selection4:
27 | path: '*\wscript.exe'
28 | parent_path: '*\regsvr32.exe'
29 | selection5:
30 | path: '*\EXCEL.EXE'
31 | cmdline: '*..\..\..\Windows\System32\regsvr32.exe *'
32 | condition: 1 of them
33 | falsepositives:
34 | - Unknown
35 | level: high
36 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_run_locations.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Process Start Locations
2 | description: Detects suspicious process run from unusual locations
3 | status: experimental
4 | references:
5 | - https://car.mitre.org/wiki/CAR-2013-05-002
6 | author: PolyLogyx
7 | tags:
8 | - attack.defense_evasion
9 | - attack.t1036
10 | - car.2013-05-002
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | cmdline:
17 | - '*:\RECYCLER\\*'
18 | - '*:\SystemVolumeInformation\\*'
19 | - '%windir%\Tasks\\*'
20 | - '%systemroot%\debug\\*'
21 | condition: selection
22 | falsepositives:
23 | - False positives depend on scripts and administrative tools used in the monitored
24 | environment
25 | level: medium
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_rundll32_activity.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Rundll32 Activity
2 | description: Detects suspicious process related to rundll32 based on arguments
3 | status: experimental
4 | references:
5 | - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
6 | - https://twitter.com/Hexacorn/status/885258886428725250
7 | - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
8 | tags:
9 | - attack.defense_evasion
10 | - attack.execution
11 | - attack.t1085
12 | author: PolyLogyx
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | cmdline:
19 | - '*\rundll32.exe* url.dll,*OpenURL *'
20 | - '*\rundll32.exe* url.dll,*OpenURLA *'
21 | - '*\rundll32.exe* url.dll,*FileProtocolHandler *'
22 | - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
23 | - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
24 | - '*\rundll32.exe javascript:*'
25 | - '* url.dll,*OpenURL *'
26 | - '* url.dll,*OpenURLA *'
27 | - '* url.dll,*FileProtocolHandler *'
28 | - '* zipfldr.dll,*RouteTheCall *'
29 | - '* Shell32.dll,*Control_RunDLL *'
30 | - '* javascript:*'
31 | - '*.RegisterXLL*'
32 | condition: selection
33 | falsepositives:
34 | - False positives depend on scripts and administrative tools used in the monitored
35 | environment
36 | level: medium
37 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_schtask_creation.yml:
--------------------------------------------------------------------------------
1 | title: Scheduled Task Creation
2 | status: experimental
3 | description: Detects the creation of scheduled tasks in user session
4 | author: PolyLogyx
5 | logsource:
6 | category: process_creation
7 | product: win_plgx_extension
8 | detection:
9 | selection:
10 | path: '*\schtasks.exe'
11 | cmdline: '* /create *'
12 | filter:
13 | owner_uid: NT AUTHORITY\SYSTEM
14 | condition: selection and not filter
15 | tags:
16 | - attack.execution
17 | - attack.persistence
18 | - attack.privilege_escalation
19 | - attack.t1053
20 | - attack.s0111
21 | falsepositives:
22 | - Administrative activity
23 | - Software installation
24 | level: low
25 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_script_execution.yml:
--------------------------------------------------------------------------------
1 | title: WSF/JSE/JS/VBA/VBE File Execution
2 | status: experimental
3 | description: Detects suspicious file execution by wscript and cscript
4 | author: PolyLogyx
5 | tags:
6 | - attack.execution
7 | - attack.t1064
8 | logsource:
9 | category: process_creation
10 | product: win_plgx_extension
11 | detection:
12 | selection:
13 | path:
14 | - '*\wscript.exe'
15 | - '*\cscript.exe'
16 | cmdline:
17 | - '*.jse'
18 | - '*.vbe'
19 | - '*.js'
20 | - '*.vba'
21 | condition: selection
22 | falsepositives:
23 | - Will need to be tuned. I recommend adding the user profile path in cmdline if
24 | it is getting too noisy.
25 | level: medium
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_squirrel_lolbin.yml:
--------------------------------------------------------------------------------
1 | title: Squirrel Lolbin
2 | status: experimental
3 | description: Detects Possible Squirrel Packages Manager as Lolbin
4 | references:
5 | - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
6 | tags:
7 | - attack.execution
8 | author: PolyLogyx
9 | falsepositives:
10 | - 1Clipboard
11 | - Beaker Browser
12 | - Caret
13 | - Collectie
14 | - Discord
15 | - Figma
16 | - Flow
17 | - Ghost
18 | - GitHub Desktop
19 | - GitKraken
20 | - Hyper
21 | - Insomnia
22 | - JIBO
23 | - Kap
24 | - Kitematic
25 | - Now Desktop
26 | - Postman
27 | - PostmanCanary
28 | - Rambox
29 | - Simplenote
30 | - Skype
31 | - Slack
32 | - SourceTree
33 | - Stride
34 | - Svgsus
35 | - WebTorrent
36 | - WhatsApp
37 | - WordPress.com
38 | - atom
39 | - gitkraken
40 | - slack
41 | - teams
42 | level: high
43 | logsource:
44 | category: process_creation
45 | product: win_plgx_extension
46 | detection:
47 | selection:
48 | path:
49 | - '*\update.exe'
50 | cmdline:
51 | - '*--processStart*.exe*'
52 | - "*\u2013createShortcut*.exe*"
53 | condition: selection
54 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_svchost.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious Svchost Process
2 | status: experimental
3 | description: Detects a suspicious svchost process start
4 | tags:
5 | - attack.defense_evasion
6 | - attack.t1036
7 | author: PolyLogyx
8 | date: 2017/08/15
9 | logsource:
10 | category: process_creation
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | path: '*\svchost.exe'
15 | filter:
16 | parent_path:
17 | - '*\services.exe'
18 | - '*\MsMpEng.exe'
19 | - '*\Mrt.exe'
20 | condition: selection and not filter
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_sysprep_appdata.yml:
--------------------------------------------------------------------------------
1 | title: Sysprep on AppData Folder
2 | status: experimental
3 | description: Detects suspicious sysprep process start with AppData folder as target
4 | (as used by Trojan Syndicasec in Thrip report by Symantec)
5 | references:
6 | - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
7 | - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
8 | tags:
9 | - attack.execution
10 | author: PolyLogyx
11 | date: 2018/06/22
12 | modified: 2018/12/11
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | cmdline:
19 | - '*\sysprep.exe *\AppData\\*'
20 | - sysprep.exe *\AppData\\*
21 | condition: selection
22 | falsepositives:
23 | - False positives depend on scripts and administrative tools used in the monitored
24 | environment
25 | level: medium
26 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_sysvol_access.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious SYSVOL Domain Group Policy Access
2 | status: experimental
3 | description: Detects Access to Domain Group Policies stored in SYSVOL
4 | references:
5 | - https://adsecurity.org/?p=2288
6 | - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
7 | author: PolyLogyx
8 | date: 2018/04/09
9 | modified: 2018/12/11
10 | tags:
11 | - attack.credential_access
12 | - attack.t1003
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | cmdline: '*\SYSVOL\\*\policies\\*'
19 | condition: selection
20 | falsepositives:
21 | - administrative activity
22 | level: medium
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_taskmgr_localsystem.yml:
--------------------------------------------------------------------------------
1 | title: Taskmgr as LOCAL_SYSTEM
2 | status: experimental
3 | description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
4 | tags:
5 | - attack.defense_evasion
6 | - attack.t1036
7 | author: PolyLogyx
8 | date: 2018/03/18
9 | logsource:
10 | category: process_creation
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | owner_uid: NT AUTHORITY\SYSTEM
15 | path: '*\taskmgr.exe'
16 | condition: selection
17 | falsepositives:
18 | - Unkown
19 | level: high
20 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_taskmgr_parent.yml:
--------------------------------------------------------------------------------
1 | title: Taskmgr as Parent
2 | status: experimental
3 | description: Detects the creation of a process from Windows task manager
4 | tags:
5 | - attack.defense_evasion
6 | - attack.t1036
7 | author: PolyLogyx
8 | date: 2018/03/13
9 | logsource:
10 | category: process_creation
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | parent_path: '*\taskmgr.exe'
15 | filter:
16 | path:
17 | - resmon.exe
18 | - mmc.exe
19 | condition: selection and not filter
20 | falsepositives:
21 | - Administrative activity
22 | level: low
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_tscon_localsystem.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious TSCON Start
2 | status: experimental
3 | description: Detects a tscon.exe start as LOCAL SYSTEM
4 | references:
5 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
6 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
7 | author: PolyLogyx
8 | date: 2018/03/17
9 | tags:
10 | - attack.command_and_control
11 | - attack.t1219
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | owner_uid: NT AUTHORITY\SYSTEM
18 | path: '*\tscon.exe'
19 | condition: selection
20 | falsepositives:
21 | - Unknown
22 | level: high
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_tscon_rdp_redirect.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious RDP Redirect Using TSCON
2 | status: experimental
3 | description: Detects a suspicious RDP session redirect using tscon.exe
4 | references:
5 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
6 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
7 | tags:
8 | - attack.lateral_movement
9 | - attack.privilege_escalation
10 | - attack.t1076
11 | author: PolyLogyx
12 | date: 2018/03/17
13 | modified: 2018/12/11
14 | logsource:
15 | category: process_creation
16 | product: win_plgx_extension
17 | detection:
18 | selection:
19 | cmdline: '* /dest:rdp-tcp:*'
20 | condition: selection
21 | falsepositives:
22 | - Unknown
23 | level: high
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_vssadmin_ntds_activity.yml:
--------------------------------------------------------------------------------
1 | title: Activity Related to NTDS.dit Domain Hash Retrieval
2 | status: experimental
3 | description: Detects suspicious commands that could be related to activity that uses
4 | volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
5 | author: PolyLogyx
6 | references:
7 | - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
8 | - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
9 | - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
10 | - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
11 | - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
12 | tags:
13 | - attack.credential_access
14 | - attack.t1003
15 | logsource:
16 | category: process_creation
17 | product: win_plgx_extension
18 | detection:
19 | selection:
20 | cmdline:
21 | - vssadmin.exe Delete Shadows
22 | - 'vssadmin create shadow /for=C:'
23 | - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit
24 | - copy \\?\GLOBALROOT\Device\\*\config\SAM
25 | - 'vssadmin delete shadows /for=C:'
26 | - 'reg SAVE HKLM\SYSTEM '
27 | - esentutl.exe /y /vss *\ntds.dit*
28 | condition: selection
29 | falsepositives:
30 | - Administrative activity
31 | level: high
32 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_whoami.yml:
--------------------------------------------------------------------------------
1 | title: Whoami Execution
2 | status: experimental
3 | description: Detects the execution of whoami, which is often used by attackers after
4 | exloitation / privilege escalation but rarely used by administrators
5 | references:
6 | - https://twitter.com/haroonmeer/status/939099379834658817
7 | - https://twitter.com/c_APT_ure/status/939475433711722497
8 | author: PolyLogyx
9 | date: 2018/05/22
10 | tags:
11 | - attack.discovery
12 | - attack.t1033
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | cmdline: whoami
19 | condition: selection
20 | falsepositives:
21 | - Admin activity
22 | - Scripts and administrative tools used in the monitored environment
23 | level: high
24 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_susp_wmi_execution.yml:
--------------------------------------------------------------------------------
1 | title: Suspicious WMI execution
2 | status: experimental
3 | description: Detects WMI executing suspicious commands
4 | references:
5 | - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
6 | - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
7 | - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
8 | author: PolyLogyx
9 | logsource:
10 | category: process_creation
11 | product: win_plgx_extension
12 | detection:
13 | selection:
14 | path:
15 | - '*\wmic.exe'
16 | cmdline:
17 | - '*/NODE:*process call create *'
18 | - '* path AntiVirusProduct get *'
19 | - '* path FirewallProduct get *'
20 | - '* shadowcopy delete *'
21 | condition: selection
22 | tags:
23 | - attack.execution
24 | - attack.t1047
25 | - car.2016-03-002
26 | falsepositives:
27 | - Will need to be tuned
28 | - If using Splunk, I recommend | stats count by Computer,cmdline following for
29 | easy hunting by Computer/cmdline.
30 | level: medium
31 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_system_exe_anomaly.yml:
--------------------------------------------------------------------------------
1 | title: System File Execution Location Anomaly
2 | status: experimental
3 | description: Detects a Windows program executable started in a suspicious folder
4 | references:
5 | - https://twitter.com/GelosSnake/status/934900723426439170
6 | author: PolyLogyx
7 | date: 2017/11/27
8 | tags:
9 | - attack.defense_evasion
10 | - attack.t1036
11 | logsource:
12 | category: process_creation
13 | product: win_plgx_extension
14 | detection:
15 | selection:
16 | path:
17 | - '*\svchost.exe'
18 | - '*\rundll32.exe'
19 | - '*\services.exe'
20 | - '*\powershell.exe'
21 | - '*\regsvr32.exe'
22 | - '*\spoolsv.exe'
23 | - '*\lsass.exe'
24 | - '*\smss.exe'
25 | - '*\csrss.exe'
26 | - '*\conhost.exe'
27 | filter:
28 | path:
29 | - '*\System32\\*'
30 | - '*\SysWow64\\*'
31 | condition: selection and not filter
32 | falsepositives:
33 | - Exotic software
34 | level: high
35 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_vul_java_remote_debugging.yml:
--------------------------------------------------------------------------------
1 | title: Java Running with Remote Debugging
2 | description: Detects a JAVA process running with remote debugging allowing more than
3 | just localhost to connect
4 | author: PolyLogyx
5 | tags:
6 | - attack.discovery
7 | - attack.t1046
8 | logsource:
9 | category: process_creation
10 | product: win_plgx_extension
11 | detection:
12 | selection:
13 | cmdline: '*transport=dt_socket,address=*'
14 | exclusion:
15 | - cmdline: '*address=127.0.0.1*'
16 | - cmdline: '*address=localhost*'
17 | condition: selection and not exclusion
18 | falsepositives:
19 | - unknown
20 | level: medium
21 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_webshell_detection.yml:
--------------------------------------------------------------------------------
1 | title: Webshell Detection With Command Line Keywords
2 | description: Detects certain command line parameters often used during reconnaissance
3 | activity via web shells
4 | author: PolyLogyx
5 | logsource:
6 | category: process_creation
7 | product: win_plgx_extension
8 | detection:
9 | selection:
10 | parent_path:
11 | - '*\apache*'
12 | - '*\tomcat*'
13 | - '*\w3wp.exe'
14 | - '*\php-cgi.exe'
15 | - '*\nginx.exe'
16 | - '*\httpd.exe'
17 | cmdline:
18 | - whoami
19 | - net user
20 | - ping -n
21 | - systeminfo
22 | condition: selection
23 | tags:
24 | - attack.privilege_escalation
25 | - attack.persistence
26 | - attack.t1100
27 | falsepositives:
28 | - unknown
29 | level: high
30 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_webshell_spawn.yml:
--------------------------------------------------------------------------------
1 | title: Shells Spawned by Web Servers
2 | status: experimental
3 | description: Web servers that spawn shell processes could be the result of a successfully
4 | placed web shell or an other attack
5 | author: PolyLogyx
6 | logsource:
7 | category: process_creation
8 | product: win_plgx_extension
9 | detection:
10 | selection:
11 | parent_path:
12 | - '*\w3wp.exe'
13 | - '*\httpd.exe'
14 | - '*\nginx.exe'
15 | - '*\php-cgi.exe'
16 | path:
17 | - '*\cmd.exe'
18 | - '*\sh.exe'
19 | - '*\bash.exe'
20 | - '*\powershell.exe'
21 | condition: selection
22 | tags:
23 | - attack.privilege_escalation
24 | - attack.persistence
25 | - attack.t1100
26 | falsepositives:
27 | - Particular web applications may spawn a shell process legitimately
28 | level: high
29 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_wmi_persistence_script_event_consumer.yml:
--------------------------------------------------------------------------------
1 | title: WMI Persistence - Script Event Consumer
2 | status: experimental
3 | description: Detects WMI script event consumers
4 | references:
5 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
6 | author: PolyLogyx
7 | date: 2018/03/07
8 | tags:
9 | - attack.execution
10 | - attack.persistence
11 | - attack.t1047
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | path: C:\WINDOWS\system32\wbem\scrcons.exe
18 | parent_path: C:\Windows\System32\svchost.exe
19 | condition: selection
20 | falsepositives:
21 | - Legitimate event consumers
22 | level: high
23 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_wmi_spwns_powershell.yml:
--------------------------------------------------------------------------------
1 | title: WMI Spawning Windows PowerShell
2 | status: experimental
3 | description: Detects WMI spawning PowerShell
4 | references:
5 | - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
6 | - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
7 | author: PolyLogyx
8 | date: 2019/04/03
9 | tags:
10 | - attack.execution
11 | - attack.defense_evasion
12 | - attack.t1064
13 | logsource:
14 | category: process_creation
15 | product: win_plgx_extension
16 | detection:
17 | selection:
18 | parent_path:
19 | - '*\wmiprvse.exe'
20 | path:
21 | - '*\powershell.exe'
22 | condition: selection
23 | falsepositives:
24 | - AppvClient
25 | - CCM
26 | level: high
27 |
--------------------------------------------------------------------------------
/process_creation/sigma/win_workflow_compiler.yml:
--------------------------------------------------------------------------------
1 | title: Microsoft Workflow Compiler
2 | status: experimental
3 | description: Detects invocation of Microsoft Workflow Compiler, which may permit the
4 | execution of arbitrary unsigned code.
5 | tags:
6 | - attack.defense_evasion
7 | - attack.execution
8 | - attack.t1127
9 | author: PolyLogyx
10 | references:
11 | - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
12 | logsource:
13 | category: process_creation
14 | product: win_plgx_extension
15 | detection:
16 | selection:
17 | path: '*\Microsoft.Workflow.Compiler.exe'
18 | condition: selection
19 | falsepositives:
20 | - Legitimate MWC use (unlikely in modern enterprise environments)
21 | level: high
22 |
--------------------------------------------------------------------------------