├── Emerging_Threats ├── blackmatter_ransomware.yml ├── guloader.yml └── log4j.yml ├── MITRE_ATTACK └── windows │ ├── T1015.yml │ ├── T1042.yml │ ├── T1053.yml │ ├── T1103.yml │ ├── T1121.yml │ ├── T1122.yml │ ├── T1136.yml │ ├── T1138.yml │ ├── T1158.yml │ ├── T1170.yml │ ├── T1182.yml │ ├── T1191.yml │ ├── T1196.yml │ ├── T1197.yml │ └── T1218.yml ├── README.md ├── Sigma ├── README.md ├── dr_rules │ ├── apt │ │ ├── apt_apt29_thinktanks.yml │ │ ├── apt_babyshark.yml │ │ ├── apt_bear_activity_gtr19.yml │ │ ├── apt_carbonpaper_turla.yml │ │ ├── apt_chafer_mar18.yml │ │ ├── apt_cloudhopper.yml │ │ ├── apt_dragonfly.yml │ │ ├── apt_elise.yml │ │ ├── apt_emissarypanda_sep19.yml │ │ ├── apt_equationgroup_dll_u_load.yml │ │ ├── apt_equationgroup_lnx.yml │ │ ├── apt_hurricane_panda.yml │ │ ├── apt_judgement_panda_gtr19.yml │ │ ├── apt_oceanlotus_registry.yml │ │ ├── apt_pandemic.yml │ │ ├── apt_slingshot.yml │ │ ├── apt_sofacy.yml │ │ ├── apt_sofacy_zebrocy.yml │ │ ├── apt_stonedrill.yml │ │ ├── apt_ta17_293a_ps.yml │ │ ├── apt_tropictrooper.yml │ │ ├── apt_turla_commands.yml │ │ ├── apt_turla_namedpipes.yml │ │ ├── apt_turla_service_png.yml │ │ ├── apt_unidentified_nov_18.yml │ │ ├── apt_zxshell.yml │ │ └── crime_fireball.yml │ ├── compliance │ │ ├── group_modification_logging.yml │ │ └── workstation_was_locked.yml │ ├── linux │ │ ├── lnx_buffer_overflows.yml │ │ ├── lnx_clamav.yml │ │ ├── lnx_shell_clear_cmd_history.yml │ │ ├── lnx_shell_priv_esc_prep.yml │ │ ├── lnx_shell_susp_commands.yml │ │ ├── lnx_shell_susp_log_entries.yml │ │ ├── lnx_shell_susp_rev_shells.yml │ │ ├── lnx_shellshock.yml │ │ ├── lnx_ssh_cve_2018_15473.yml │ │ ├── lnx_susp_jexboss.yml │ │ ├── lnx_susp_named.yml │ │ ├── lnx_susp_ssh.yml │ │ └── lnx_susp_vsftp.yml │ ├── linux_auditd │ │ └── lnx_auditd_susp_exe_folders.yml │ ├── windows_builtin │ │ ├── win_GPO_scheduledtasks.yml │ │ ├── win_account_backdoor_dcsync_rights.yml │ │ ├── win_account_discovery.yml │ │ ├── win_admin_rdp_login.yml │ │ ├── win_admin_share_access.yml │ │ ├── win_alert_ad_user_backdoors.yml │ │ ├── win_alert_lsass_access.yml │ │ ├── win_alert_ruler.yml │ │ ├── win_atsvc_task.yml │ │ ├── win_dcsync.yml │ │ ├── win_disable_event_logging.yml │ │ ├── win_hack_smbexec.yml │ │ ├── win_impacket_secretdump.yml │ │ ├── win_lm_namedpipe.yml │ │ ├── win_mal_service_installs.yml │ │ ├── win_mal_wceaux_dll.yml │ │ ├── win_net_ntlm_downgrade.yml │ │ ├── win_overpass_the_hash.yml │ │ ├── win_pass_the_hash.yml │ │ ├── win_pass_the_hash_2.yml │ │ ├── win_rare_schtasks_creations.yml │ │ ├── win_rare_service_installs.yml │ │ ├── win_rdp_bluekeep_poc_scanner.yml │ │ ├── win_rdp_localhost_login.yml │ │ ├── win_rdp_potential_cve-2019-0708.yml │ │ ├── win_rdp_reverse_tunnel.yml │ │ ├── win_susp_add_sid_history.yml │ │ ├── win_susp_backup_delete.yml │ │ ├── win_susp_dhcp_config.yml │ │ ├── win_susp_dhcp_config_failed.yml │ │ ├── win_susp_dns_config.yml │ │ ├── win_susp_dsrm_password_change.yml │ │ ├── win_susp_eventlog_cleared.yml │ │ ├── win_susp_failed_logon_reasons.yml │ │ ├── win_susp_failed_logons_single_source.yml │ │ ├── win_susp_interactive_logons.yml │ │ ├── win_susp_kerberos_manipulation.yml │ │ ├── win_susp_lsass_dump.yml │ │ ├── win_susp_mshta_execution.yml │ │ ├── win_susp_net_recon_activity.yml │ │ ├── win_susp_ntlm_auth.yml │ │ ├── win_susp_psexec.yml │ │ ├── win_susp_raccess_sensitive_fext.yml │ │ ├── win_susp_rc4_kerberos.yml │ │ ├── win_susp_samr_pwset.yml │ │ ├── win_susp_sdelete.yml │ │ ├── win_susp_security_eventlog_cleared.yml │ │ ├── win_susp_time_modification.yml │ │ ├── win_svcctl_remote_service.yml │ │ ├── win_usb_device_plugged.yml │ │ ├── win_user_added_to_local_administrators.yml │ │ └── win_user_creation.yml │ ├── windows_malware │ │ ├── win_mal_ryuk.yml │ │ └── win_mal_ursnif.yml │ ├── windows_other │ │ ├── win_rare_schtask_creation.yml │ │ └── win_tool_psexec.yml │ ├── windows_process_creation │ │ ├── powershell_xor_commandline.yml │ │ ├── win_apt_bluemashroom.yml │ │ ├── win_attrib_hiding_files.yml │ │ ├── win_cmdkey_recon.yml │ │ ├── win_cmstp_com_object_access.yml │ │ ├── win_control_panel_item.yml │ │ ├── win_encoded_frombase64string.yml │ │ ├── win_encoded_iex.yml │ │ ├── win_etw_trace_evasion.yml │ │ ├── win_exploit_cve_2015_1641.yml │ │ ├── win_exploit_cve_2017_0261.yml │ │ ├── win_exploit_cve_2017_11882.yml │ │ ├── win_exploit_cve_2017_8759.yml │ │ ├── win_hack_rubeus.yml │ │ ├── win_hwp_exploits.yml │ │ ├── win_impacket_lateralization.yml │ │ ├── win_install_reg_debugger_backdoor.yml │ │ ├── win_lethalhta.yml │ │ ├── win_mal_adwind.yml │ │ ├── win_malware_dridex.yml │ │ ├── win_malware_emotet.yml │ │ ├── win_malware_formbook.yml │ │ ├── win_malware_notpetya.yml │ │ ├── win_malware_qbot.yml │ │ ├── win_malware_script_dropper.yml │ │ ├── win_malware_wannacry.yml │ │ ├── win_mavinject_proc_inj.yml │ │ ├── win_mmc_spawn_shell.yml │ │ ├── win_mshta_spawn_shell.yml │ │ ├── win_multiple_suspicious_cli.yml │ │ ├── win_netsh_fw_add.yml │ │ ├── win_netsh_port_fwd.yml │ │ ├── win_netsh_port_fwd_3389.yml │ │ ├── win_office_shell.yml │ │ ├── win_office_spawn_exe_from_users_directory.yml │ │ ├── win_plugx_susp_exe_locations.yml │ │ ├── win_possible_applocker_bypass.yml │ │ ├── win_powershell_amsi_bypass.yml │ │ ├── win_powershell_b64_shellcode.yml │ │ ├── win_powershell_download.yml │ │ ├── win_powershell_suspicious_parameter_variation.yml │ │ ├── win_powersploit_empire_schtasks.yml │ │ ├── win_proc_wrong_parent.yml │ │ ├── win_process_creation_bitsadmin_download.yml │ │ ├── win_psexesvc_start.yml │ │ ├── win_ransomware_shadowcopy.yml │ │ ├── win_renamed_binary.yml │ │ ├── win_sdbinst_shim_persistence.yml │ │ ├── win_susp_bcdedit.yml │ │ ├── win_susp_calc.yml │ │ ├── win_susp_certutil_command.yml │ │ ├── win_susp_certutil_encode.yml │ │ ├── win_susp_cli_escape.yml │ │ ├── win_susp_cmd_http_appdata.yml │ │ ├── win_susp_codepage_switch.yml │ │ ├── win_susp_commands_recon_activity.yml │ │ ├── win_susp_compression_params.yml │ │ ├── win_susp_comsvcs_procdump.yml │ │ ├── win_susp_control_dll_load.yml │ │ ├── win_susp_csc.yml │ │ ├── win_susp_csc_folder.yml │ │ ├── win_susp_double_extension.yml │ │ ├── win_susp_eventlog_clear.yml │ │ ├── win_susp_exec_folder.yml │ │ ├── win_susp_execution_path.yml │ │ ├── win_susp_execution_path_webserver.yml │ │ ├── win_susp_fsutil_usage.yml │ │ ├── win_susp_gup.yml │ │ ├── win_susp_iss_module_install.yml │ │ ├── win_susp_msiexec_web_install.yml │ │ ├── win_susp_net_execution.yml │ │ ├── win_susp_ntdsutil.yml │ │ ├── win_susp_outlook.yml │ │ ├── win_susp_outlook_temp.yml │ │ ├── win_susp_ping_hex_ip.yml │ │ ├── win_susp_powershell_empire_launch.yml │ │ ├── win_susp_powershell_empire_uac_bypass.yml │ │ ├── win_susp_powershell_enc_cmd.yml │ │ ├── win_susp_powershell_hidden_b64_cmd.yml │ │ ├── win_susp_procdump.yml │ │ ├── win_susp_process_creations.yml │ │ ├── win_susp_prog_location_process_starts.yml │ │ ├── win_susp_ps_appdata.yml │ │ ├── win_susp_rasdial_activity.yml │ │ ├── win_susp_recon_activity.yml │ │ ├── win_susp_regsvr32_anomalies.yml │ │ ├── win_susp_run_locations.yml │ │ ├── win_susp_rundll32_activity.yml │ │ ├── win_susp_rundll32_by_ordinal.yml │ │ ├── win_susp_schtask_creation.yml │ │ ├── win_susp_script_execution.yml │ │ ├── win_susp_squirrel_lolbin.yml │ │ ├── win_susp_svchost.yml │ │ ├── win_susp_sysprep_appdata.yml │ │ ├── win_susp_sysvol_access.yml │ │ ├── win_susp_taskmgr_localsystem.yml │ │ ├── win_susp_taskmgr_parent.yml │ │ ├── win_susp_tscon_localsystem.yml │ │ ├── win_susp_tscon_rdp_redirect.yml │ │ ├── win_susp_userinit_child.yml │ │ ├── win_susp_vssadmin_ntds_activity.yml │ │ ├── win_susp_whoami.yml │ │ ├── win_susp_wmi_execution.yml │ │ ├── win_system_exe_anomaly.yml │ │ ├── win_termserv_proc_spawn.yml │ │ ├── win_vul_java_remote_debugging.yml │ │ ├── win_webshell_detection.yml │ │ ├── win_webshell_spawn.yml │ │ ├── win_win10_sched_task_0day.yml │ │ ├── win_wmi_backdoor_exchange_transport_agent.yml │ │ ├── win_wmi_persistence_script_event_consumer.yml │ │ ├── win_wmi_spwns_powershell.yml │ │ └── win_workflow_compiler.yml │ └── windows_sysmon │ │ ├── sysmon_ads_executable.yml │ │ ├── sysmon_cactustorch.yml │ │ ├── sysmon_cmstp_execution.yml │ │ ├── sysmon_cobaltstrike_process_injection.yml │ │ ├── sysmon_dhcp_calloutdll.yml │ │ ├── sysmon_dns_serverlevelplugindll.yml │ │ ├── sysmon_ghostpack_safetykatz.yml │ │ ├── sysmon_lsass_memdump.yml │ │ ├── sysmon_mal_namedpipes.yml │ │ ├── sysmon_malware_backconnect_ports.yml │ │ ├── sysmon_malware_verclsid_shellcode.yml │ │ ├── sysmon_mimikatz_detection_lsass.yml │ │ ├── sysmon_mimikatz_inmemory_detection.yml │ │ ├── sysmon_mimikatz_trough_winrm.yml │ │ ├── sysmon_password_dumper_lsass.yml │ │ ├── sysmon_powershell_exploit_scripts.yml │ │ ├── sysmon_powershell_network_connection.yml │ │ ├── sysmon_quarkspw_filedump.yml │ │ ├── sysmon_rdp_reverse_tunnel.yml │ │ ├── sysmon_rdp_settings_hijack.yml │ │ ├── sysmon_renamed_powershell.yml │ │ ├── sysmon_renamed_psexec.yml │ │ ├── sysmon_rundll32_net_connections.yml │ │ ├── sysmon_ssp_added_lsa_config.yml │ │ ├── sysmon_stickykey_like_backdoor.yml │ │ ├── sysmon_susp_download_run_key.yml │ │ ├── sysmon_susp_driver_load.yml │ │ ├── sysmon_susp_file_characteristics.yml │ │ ├── sysmon_susp_image_load.yml │ │ ├── sysmon_susp_lsass_dll_load.yml │ │ ├── sysmon_susp_powershell_rundll32.yml │ │ ├── sysmon_susp_prog_location_network_connection.yml │ │ ├── sysmon_susp_rdp.yml │ │ ├── sysmon_susp_reg_persist_explorer_run.yml │ │ ├── sysmon_susp_run_key_img_folder.yml │ │ ├── sysmon_suspicious_keyboard_layout_load.yml │ │ ├── sysmon_sysinternals_eula_accepted.yml │ │ ├── sysmon_tsclient_filewrite_startup.yml │ │ ├── sysmon_uac_bypass_eventvwr.yml │ │ ├── sysmon_uac_bypass_sdclt.yml │ │ ├── sysmon_win_binary_github_com.yml │ │ ├── sysmon_win_binary_susp_com.yml │ │ ├── sysmon_win_reg_persistence.yml │ │ ├── sysmon_wmi_event_subscription.yml │ │ ├── sysmon_wmi_persistence_commandline_event_consumer.yml │ │ ├── sysmon_wmi_persistence_script_event_consumer_write.yml │ │ └── sysmon_wmi_susp_scripting.yml └── generate_all.py ├── _config.yml ├── amnesty-international-mfa-phishing.json ├── amnesty-international-mfa-phishing.yml ├── powershell-encoded-commands.yml ├── productivity-dropper.yaml ├── win-acl-tampering.json ├── win-acl-tampering.yaml ├── win-password-dump.json ├── win-password-dump.yaml ├── win-shadow-volume-tampering.json ├── win-shadow-volume-tampering.yaml ├── win-suspicious-command-line.json ├── win-suspicious-command-line.yaml ├── win-suspicious-exec-location.json ├── win-suspicious-exec-location.yaml ├── win-suspicious-exec-name.json ├── win-suspicious-exec-name.yaml └── winrm_code_exec.yml /MITRE_ATTACK/windows/T1015.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1015 2 | # Detects changes to the accessibility components and 3 | # execution of those components. 4 | op: and 5 | events: 6 | - NEW_DOCUMENT 7 | - NEW_PROCESS 8 | rules: 9 | - op: is windows 10 | - op: matches 11 | path: event/FILE_PATH 12 | re: .*\\Windows\\System32\\(sethc|utilman|osk|magnify|narrator|DisplaySwitch|AtBroker)\.exe$ 13 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1042.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1042 2 | # Detects modifications to the extension handlers. 3 | # This is not necessarily malicious. 4 | op: and 5 | event: REGISTRY_WRITE 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: starts with 11 | path: event/REGISTRY_KEY 12 | value: \REGISTRY\MACHINE\SOFTWARE\Classes\ 13 | case sensitive: false 14 | - op: contains 15 | path: event/REGISTRY_KEY 16 | value: Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts 17 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1053.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1053 2 | # This is not a complete detection, it is a pointer on how to 3 | # detect new scheduled tasks for further analysis. 4 | op: and 5 | event: NEW_DOCUMENT 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: contains 11 | path: event/FILE_PATH 12 | value: System32\Tasks 13 | case sensitive: false 14 | 15 | # The following is an example of a Response component 16 | # that fetches the content of the cached scheduled job 17 | # file whose format is described here: 18 | # https://www.forensicswiki.org/wiki/Windows_Job_File_Format 19 | - action: task 20 | command: 21 | - doc_cache_get 22 | - -s 23 | - <> -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1103.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1103 2 | # Detect changes to the registry key. 3 | op: and 4 | event: REGISTRY_WRITE 5 | rules: 6 | - op: is windows 7 | - op: matches 8 | path: event/REGISTRY_KEY 9 | re: .*Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs.* 10 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1121.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1121 2 | # Detects the execution of Regsvcs/Regasm. This assumes there are no 3 | # legitimate uses of it in your environment. 4 | op: and 5 | event: NEW_PROCESS 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: ends with 11 | path: event/FILE_PATH 12 | value: regsvcs.exe 13 | case sensitive: false 14 | - op: ends with 15 | path: event/FILE_PATH 16 | value: regasm.exe 17 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1122.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1122 2 | # Detects modifications to COM object handlers. 3 | # This is not necessarily malicious. 4 | op: and 5 | event: REGISTRY_WRITE 6 | rules: 7 | - op: is windows 8 | - op: contains 9 | path: event/REGISTRY_KEY 10 | value: \SOFTWARE\Classes\CLSID\ 11 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1136.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1136 2 | # Detects the creation of users from the command line. 3 | op: and 4 | event: NEW_PROCESS 5 | rules: 6 | - op: is windows 7 | - op: ends with 8 | path: event/FILE_PATH 9 | value: net.exe 10 | case sensitive: false 11 | - op: matches 12 | path: event/COMMAND_LINE 13 | re: \s*user\s+\S+\s+\S+.* 14 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1138.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1138 2 | # Detects installation of a shim using sdbinst.exe. 3 | op: and 4 | event: NEW_PROCESS 5 | rules: 6 | - op: is windows 7 | - op: ends with 8 | path: event/FILE_PATH 9 | value: sdbinst.exe 10 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1158.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1158 2 | # Detects making a file hidden from the command line. 3 | op: and 4 | event: NEW_PROCESS 5 | rules: 6 | - op: is windows 7 | - op: ends with 8 | path: event/FILE_PATH 9 | value: attrib.exe 10 | case sensitive: false 11 | - op: contains 12 | path: event/COMMAND_LINE 13 | value: +h 14 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1170.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1170 2 | # Detects the execution of mshta.exe. This assumes there are no 3 | # legitimate uses of it in your environment. 4 | op: and 5 | event: NEW_PROCESS 6 | rules: 7 | - op: is windows 8 | - op: ends with 9 | path: event/FILE_PATH 10 | value: mshta.exe 11 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1182.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1182 2 | # Detect changes to the registry key. 3 | op: and 4 | event: REGISTRY_WRITE 5 | rules: 6 | - op: is windows 7 | - op: contains 8 | path: event/REGISTRY_KEY 9 | value: System\CurrentControlSet\Control\Session Manager 10 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1191.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1191 2 | # Detects the execution of the CMSTP.exe process. 3 | op: and 4 | event: NEW_PROCESS 5 | rules: 6 | - op: is windows 7 | - op: ends with 8 | path: event/FILE_PATH 9 | value: CMSTP.exe 10 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1196.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1196 2 | # Detects the execution of a CPL outside the c:\windows directory. 3 | op: and 4 | event: CODE_IDENTITY 5 | rules: 6 | - op: is windows 7 | - op: ends with 8 | path: event/FILE_PATH 9 | value: .cpl 10 | case sensitive: false 11 | - op: matches 12 | path: event/FILE_PATH 13 | re: ^.\:\\windows\\ 14 | not: true -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1197.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1197 2 | # Detects instantiations of the BITSAdmin tool. 3 | op: and 4 | event: NEW_PROCESS 5 | rules: 6 | - op: is windows 7 | - op: ends with 8 | path: event/FILE_PATH 9 | value: bitsadmin.exe 10 | case sensitive: false -------------------------------------------------------------------------------- /MITRE_ATTACK/windows/T1218.yml: -------------------------------------------------------------------------------- 1 | # https://attack.mitre.org/wiki/Technique/T1218 2 | # Detects execution of Mavinject.exe, this is not always malicious 3 | # so this should be used as a pointer for further analysis. 4 | op: and 5 | event: NEW_PROCESS 6 | rules: 7 | - op: is windows 8 | - op: ends with 9 | path: event/FILE_PATH 10 | value: Mavinject.exe 11 | case sensitive: false -------------------------------------------------------------------------------- /Sigma/README.md: -------------------------------------------------------------------------------- 1 | # Sigma Rules 2 | These are LimaCharlie [D&R rules](https://doc.limacharlie.io/en/master/dr/) generated by 3 | the LimaCharlie backend for [Sigma](https://github.com/Neo23x0/sigma). 4 | 5 | If you want to generate them yourself, from this repo: 6 | 7 | ``` 8 | git clone https://github.com/refractionPOINT/sigma 9 | python3 ./generate_all.py 10 | ``` 11 | 12 | The rules are not authored by the LimaCharlie team, to find the original 13 | rule and author see [the originals](https://github.com/Neo23x0/sigma/tree/master/rules). 14 | 15 | Many of the rules for Windows are based on Windows Event Logs. These are not collected by 16 | LimaCharlie by default, but they can be collected automatically using the [External Logs](https://doc.limacharlie.io/en/master/external_logs/) 17 | service. Most Windows Event Logs are located in: `c:\windows\system32\winevt\logs\`. -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_apt29_thinktanks.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: -noni -ep bypass $ 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: This method detects a suspicious powershell command line combination 17 | as used by APT29 in a campaign against US think tanks 18 | level: critical 19 | references: 20 | - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ 21 | tags: 22 | - attack.execution 23 | - attack.g0016 24 | - attack.t1086 25 | name: APT29 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_babyshark.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: is 12 | path: event/COMMAND_LINE 13 | value: reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 14 | - case sensitive: false 15 | op: starts with 16 | path: event/COMMAND_LINE 17 | value: powershell.exe mshta.exe http 18 | - case sensitive: false 19 | op: is 20 | path: event/COMMAND_LINE 21 | value: cmd.exe /c taskkill /im cmd.exe 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Florian Roth 26 | description: Detects activity that could be related to Baby Shark malware 27 | level: high 28 | references: 29 | - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ 30 | tags: 31 | - attack.execution 32 | - attack.t1059 33 | - attack.t1086 34 | - attack.discovery 35 | - attack.t1012 36 | - attack.defense_evasion 37 | - attack.t1170 38 | name: Baby Shark Activity 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_bear_activity_gtr19.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \xcopy.exe 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: ' /S /E /C /Q /H \' 20 | - op: and 21 | rules: 22 | - case sensitive: false 23 | op: ends with 24 | path: event/FILE_PATH 25 | value: \adexplorer.exe 26 | - case sensitive: false 27 | op: contains 28 | path: event/COMMAND_LINE 29 | value: ' -snapshot "" c:\users\' 30 | respond: 31 | - action: report 32 | metadata: 33 | author: Florian Roth 34 | description: Detects Russian group activity as described in Global Threat Report 35 | 2019 by Crowdstrike 36 | level: critical 37 | references: 38 | - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 39 | tags: 40 | - attack.credential_access 41 | - attack.t1081 42 | - attack.t1003 43 | name: Judgement Panda Exfil Activity 44 | 45 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_carbonpaper_turla.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '7045' 9 | - op: or 10 | rules: 11 | - case sensitive: false 12 | op: is 13 | path: Event/EventData/ServiceName 14 | value: srservice 15 | - case sensitive: false 16 | op: is 17 | path: Event/EventData/ServiceName 18 | value: ipvpn 19 | - case sensitive: false 20 | op: is 21 | path: Event/EventData/ServiceName 22 | value: hkmsvc 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | description: This method detects a service install of malicious services mentioned 28 | in Carbon Paper - Turla report by ESET 29 | level: high 30 | references: 31 | - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ 32 | tags: 33 | - attack.persistence 34 | - attack.g0010 35 | - attack.t1050 36 | name: Turla Service Install 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_cloudhopper.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \cscript.exe 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: '.vbs /shell ' 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects suspicious file execution by wscript and cscript 23 | level: critical 24 | references: 25 | - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf 26 | tags: 27 | - attack.execution 28 | - attack.g0045 29 | - attack.t1064 30 | name: WMIExec VBS Script 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_dragonfly.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: ends with 10 | path: event/FILE_PATH 11 | value: \crackmapexec.exe 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Markus Neis 16 | description: Detects CrackMapExecWin Activity as Described by NCSC 17 | level: critical 18 | references: 19 | - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 20 | tags: 21 | - attack.g0035 22 | name: CrackMapExecWin 23 | 24 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_elise.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: is 14 | path: event/FILE_PATH 15 | value: C:\Windows\SysWOW64\cmd.exe 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: '\Windows\Caches\NavShExt.dll ' 20 | - case sensitive: false 21 | op: ends with 22 | path: event/COMMAND_LINE 23 | value: \AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Florian Roth 28 | description: Detects Elise backdoor acitivty as used by APT32 29 | level: critical 30 | references: 31 | - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting 32 | tags: 33 | - attack.g0030 34 | - attack.g0050 35 | - attack.s0081 36 | name: Elise Backdoor 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_emissarypanda_sep19.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \sllauncher.exe 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: \svchost.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects the execution of DLL side-loading malware used by threat 23 | group Emissary Panda aka APT27 24 | level: critical 25 | references: 26 | - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 27 | - https://twitter.com/cyb3rops/status/1168863899531132929 28 | name: Emissary Panda Malware SLLauncher 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_equationgroup_dll_u_load.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \rundll32.exe 16 | - case sensitive: false 17 | op: ends with 18 | path: event/COMMAND_LINE 19 | value: ',dll_u' 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: ' -export dll_u ' 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Florian Roth 28 | description: Detects a specific tool and export used by EquationGroup 29 | level: critical 30 | references: 31 | - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= 32 | - https://securelist.com/apt-slingshot/84312/ 33 | - https://twitter.com/cyb3rops/status/972186477512839170 34 | tags: 35 | - attack.execution 36 | - attack.g0020 37 | - attack.t1059 38 | - attack.defense_evasion 39 | - attack.t1085 40 | name: Equation Group DLL_U Load 41 | 42 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_hurricane_panda.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/COMMAND_LINE 13 | value: ' localgroup administrators admin /add' 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: \Win64.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects Hurricane Panda Activity 23 | level: high 24 | references: 25 | - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ 26 | tags: 27 | - attack.privilege_escalation 28 | - attack.g0009 29 | - attack.t1068 30 | name: Hurricane Panda Activity 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_slingshot.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: matches 10 | path: event/COMMAND_LINE 11 | re: .*schtasks.*\ /delete\ .*Defrag\\ScheduledDefrag.* 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects the deactivation of the Scheduled defragmentation task as 17 | seen by Slingshot APT group 18 | level: medium 19 | references: 20 | - https://securelist.com/apt-slingshot/84312/ 21 | tags: 22 | - attack.persistence 23 | - attack.t1053 24 | - attack.s0111 25 | name: Defrag Deactivation 26 | 27 | detect: 28 | log type: wel 29 | op: and 30 | rules: 31 | - case sensitive: false 32 | op: is 33 | path: Event/System/EventID 34 | value: '4701' 35 | - case sensitive: false 36 | op: is 37 | path: Event/EventData/TaskName 38 | value: \Microsoft\Windows\Defrag\ScheduledDefrag 39 | target: log 40 | respond: 41 | - action: report 42 | metadata: 43 | author: Florian Roth 44 | description: Detects the deactivation of the Scheduled defragmentation task as 45 | seen by Slingshot APT group 46 | level: medium 47 | references: 48 | - https://securelist.com/apt-slingshot/84312/ 49 | tags: 50 | - attack.persistence 51 | - attack.t1053 52 | - attack.s0111 53 | name: Defrag Deactivation 54 | 55 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_sofacy.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: rundll32\.exe\ %APPDATA%\\.*\.dat",.* 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: rundll32\.exe\ %APPDATA%\\.*\.dll",\#1 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects Trojan loader acitivty as used by APT28 23 | level: critical 24 | references: 25 | - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ 26 | - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100 27 | - https://twitter.com/ClearskySec/status/960924755355369472 28 | tags: 29 | - attack.g0007 30 | - attack.execution 31 | - attack.t1059 32 | - attack.defense_evasion 33 | - attack.t1085 34 | - car.2013-10-002 35 | name: Sofacy Trojan Loader Activity 36 | 37 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_sofacy_zebrocy.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: ends with 10 | path: event/COMMAND_LINE 11 | value: cmd.exe /c SYSTEMINFO & TASKLIST 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects Sofacy's Zebrocy malware execution 17 | level: critical 18 | references: 19 | - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d 20 | tags: 21 | - attack.execution 22 | - attack.g0020 23 | - attack.t1059 24 | name: Sofacy Zebrocy 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_stonedrill.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '7045' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/ServiceName 12 | value: NtsSrv 13 | - case sensitive: false 14 | op: ends with 15 | path: Event/EventData/ServiceFileName 16 | value: ' LocalService' 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: This method detects a service install of the malicious Microsoft 23 | Network Realtime Inspection Service service described in StoneDrill report by 24 | Kaspersky 25 | level: high 26 | references: 27 | - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ 28 | tags: 29 | - attack.persistence 30 | - attack.g0064 31 | - attack.t1050 32 | name: StoneDrill Service Install 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_ta17_293a_ps.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: is 10 | path: event/COMMAND_LINE 11 | value: ps.exe -accepteula 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects renamed SysInternals tool execution with a binary named ps.exe 17 | as used by Dragonfly APT group and documented in TA17-293A report 18 | level: high 19 | references: 20 | - https://www.us-cert.gov/ncas/alerts/TA17-293A 21 | tags: 22 | - attack.defense_evasion 23 | - attack.g0035 24 | - attack.t1036 25 | - car.2013-05-009 26 | name: Ps.exe Renamed SysInternals Tool 27 | 28 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_tropictrooper.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc 12 | respond: 13 | - action: report 14 | metadata: 15 | author: '@41thexplorer, Windows Defender ATP' 16 | description: Detects TropicTrooper activity, an actor who targeted high-profile 17 | organizations in the energy and food and beverage sectors in Asia 18 | level: high 19 | references: 20 | - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ 21 | tags: 22 | - attack.execution 23 | - attack.t1085 24 | name: TropicTrooper Campaign November 2018 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_turla_namedpipes.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '17' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '18' 15 | - op: or 16 | rules: 17 | - case sensitive: false 18 | op: is 19 | path: Event/EventData/PipeName 20 | value: \atctl 21 | - case sensitive: false 22 | op: is 23 | path: Event/EventData/PipeName 24 | value: \userpipe 25 | - case sensitive: false 26 | op: is 27 | path: Event/EventData/PipeName 28 | value: \iehelper 29 | - case sensitive: false 30 | op: is 31 | path: Event/EventData/PipeName 32 | value: \sdlrpc 33 | - case sensitive: false 34 | op: is 35 | path: Event/EventData/PipeName 36 | value: \comnap 37 | target: log 38 | respond: 39 | - action: report 40 | metadata: 41 | author: Markus Neis 42 | description: Detects a named pipe used by Turla group samples 43 | level: critical 44 | references: 45 | - Internal Research 46 | tags: 47 | - attack.g0010 48 | name: Turla Group Named Pipes 49 | 50 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_turla_service_png.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '7045' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/ServiceName 12 | value: WerFaultSvc 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth 18 | description: This method detects malicious services mentioned in Turla PNG dropper 19 | report by NCC Group in November 2018 20 | level: critical 21 | references: 22 | - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ 23 | tags: 24 | - attack.persistence 25 | - attack.g0010 26 | - attack.t1050 27 | name: Turla PNG Dropper Service 28 | 29 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/apt_zxshell.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: rundll32\.exe\ .*,zxFunction.* 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: rundll32\.exe\ .*,RemoteDiskXXXXX 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects a ZxShell start by the called and well-known function name 23 | level: critical 24 | references: 25 | - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 26 | tags: 27 | - attack.g0001 28 | - attack.execution 29 | - attack.t1059 30 | - attack.defense_evasion 31 | - attack.t1085 32 | name: ZxShell Malware 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/apt/crime_fireball.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: matches 10 | path: event/COMMAND_LINE 11 | re: .*\\rundll32\.exe\ .*,InstallArcherSvc 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects Archer malware invocation via rundll32 17 | level: high 18 | references: 19 | - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ 20 | - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 21 | tags: 22 | - attack.execution 23 | - attack.t1059 24 | - attack.defense_evasion 25 | - attack.t1085 26 | name: Fireball Archer Install 27 | 28 | -------------------------------------------------------------------------------- /Sigma/dr_rules/compliance/workstation_was_locked.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | case sensitive: false 3 | log type: wel 4 | op: is 5 | path: Event/System/EventID 6 | target: log 7 | value: '4800' 8 | respond: 9 | - action: report 10 | metadata: 11 | author: Alexandr Yampolskyi, SOC Prime 12 | description: Automatically lock workstation sessions after a standard period of 13 | inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 14 | R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019. 15 | level: low 16 | references: 17 | - https://www.cisecurity.org/controls/cis-controls-list/ 18 | - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf 19 | - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf 20 | - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 21 | tags: 22 | - CSC16 23 | - CSC16.11 24 | - ISO27002-2013 A.9.1.1 25 | - ISO27002-2013 A.9.2.1 26 | - ISO27002-2013 A.9.2.2 27 | - ISO27002-2013 A.9.2.3 28 | - ISO27002-2013 A.9.2.4 29 | - ISO27002-2013 A.9.2.5 30 | - ISO27002-2013 A.9.2.6 31 | - ISO27002-2013 A.9.3.1 32 | - ISO27002-2013 A.9.4.1 33 | - ISO27002-2013 A.9.4.3 34 | - ISO27002-2013 A.11.2.8 35 | - PCI DSS 3.1 7.1 36 | - PCI DSS 3.1 7.2 37 | - PCI DSS 3.1 7.3 38 | - PCI DSS 3.1 8.7 39 | - PCI DSS 3.1 8.8 40 | - NIST CSF 1.1 PR.AC-1 41 | - NIST CSF 1.1 PR.AC-4 42 | - NIST CSF 1.1 PR.AC-6 43 | - NIST CSF 1.1 PR.AC-7 44 | - NIST CSF 1.1 PR.PT-3 45 | name: Locked Workstation 46 | 47 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_buffer_overflows.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - op: or 9 | rules: 10 | - op: is 11 | path: event/COMMAND_LINE 12 | value: attempt to execute code on stack by 13 | - op: matches 14 | path: event/COMMAND_LINE 15 | re: FTP\ LOGIN\ FROM\ \..*\ 0bin0sh 16 | - op: is 17 | path: event/COMMAND_LINE 18 | value: 'rpc.statd[\d+]: gethostbyname error for' 19 | - op: is 20 | path: event/COMMAND_LINE 21 | value: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 22 | respond: 23 | - action: report 24 | metadata: 25 | description: Detects buffer overflow attempts in Unix system log files 26 | level: high 27 | references: 28 | - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml 29 | name: Buffer Overflow Attempts 30 | 31 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_clamav.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - op: or 9 | rules: 10 | - op: matches 11 | path: event/COMMAND_LINE 12 | re: Trojan.*FOUND 13 | - op: matches 14 | path: event/COMMAND_LINE 15 | re: VirTool.*FOUND 16 | - op: matches 17 | path: event/COMMAND_LINE 18 | re: Webshell.*FOUND 19 | - op: matches 20 | path: event/COMMAND_LINE 21 | re: Rootkit.*FOUND 22 | - op: matches 23 | path: event/COMMAND_LINE 24 | re: Htran.*FOUND 25 | respond: 26 | - action: report 27 | metadata: 28 | description: Detects relevant ClamAV messages 29 | level: high 30 | references: 31 | - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml 32 | name: Relevant ClamAV Message 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_shell_clear_cmd_history.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - op: or 9 | rules: 10 | - op: matches 11 | path: event/COMMAND_LINE 12 | re: rm\ .*bash_history 13 | - op: matches 14 | path: event/COMMAND_LINE 15 | re: echo\ ""\ >\ .*bash_history 16 | - op: matches 17 | path: event/COMMAND_LINE 18 | re: cat\ /dev/null\ >\ .*bash_history 19 | - op: matches 20 | path: event/COMMAND_LINE 21 | re: ln\ \-sf\ /dev/null\ .*bash_history 22 | - op: matches 23 | path: event/COMMAND_LINE 24 | re: truncate\ \-s0\ .*bash_history 25 | - op: is 26 | path: event/COMMAND_LINE 27 | value: export HISTFILESIZE=0 28 | - op: is 29 | path: event/COMMAND_LINE 30 | value: history -c 31 | - op: is 32 | path: event/COMMAND_LINE 33 | value: history -w 34 | - op: matches 35 | path: event/COMMAND_LINE 36 | re: shred\ .*bash_history 37 | respond: 38 | - action: report 39 | metadata: 40 | author: Patrick Bareiss 41 | description: Clear command history in linux which is used for defense evasion. 42 | level: high 43 | references: 44 | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml 45 | - https://attack.mitre.org/techniques/T1146/ 46 | - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics 47 | tags: 48 | - attack.defense_evasion 49 | - attack.t1146 50 | name: Clear Command History 51 | 52 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_shell_susp_log_entries.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - op: or 9 | rules: 10 | - op: is 11 | path: event/COMMAND_LINE 12 | value: entered promiscuous mode 13 | - op: is 14 | path: event/COMMAND_LINE 15 | value: Deactivating service 16 | - op: is 17 | path: event/COMMAND_LINE 18 | value: Oversized packet received from 19 | - op: is 20 | path: event/COMMAND_LINE 21 | value: imuxsock begins to drop messages 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Florian Roth 26 | description: Detects suspicious log entries in Linux log files 27 | level: medium 28 | name: Suspicious Log Entries 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_shellshock.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - /\(\)\s*\t*\{.*;\s*\}\s*;/ 9 | respond: 10 | - action: report 11 | metadata: 12 | description: Detects shellshock expressions in log files 13 | level: high 14 | references: 15 | - http://rubular.com/r/zxBfjWfFYs 16 | name: Shellshock Expression 17 | 18 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_ssh_cve_2018_15473.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]' 9 | respond: 10 | - action: report 11 | metadata: 12 | author: Florian Roth 13 | description: Detects exploitation attempt using public exploit code for CVE-2018-15473 14 | level: medium 15 | references: 16 | - https://github.com/Rhynorater/CVE-2018-15473-Exploit 17 | name: SSHD Error Message CVE-2018-15473 18 | 19 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_susp_jexboss.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - op: and 9 | rules: 10 | - op: is 11 | path: event/COMMAND_LINE 12 | value: bash -c /bin/bash 13 | - op: is 14 | path: event/COMMAND_LINE 15 | value: '&/dev/tcp/' 16 | respond: 17 | - action: report 18 | metadata: 19 | author: Florian Roth 20 | description: Detects suspicious command sequence that JexBoss 21 | level: high 22 | references: 23 | - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A 24 | name: JexBoss Command Sequence 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/linux/lnx_susp_named.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is linux 8 | - op: or 9 | rules: 10 | - op: contains 11 | path: event/COMMAND_LINE 12 | value: ' dropping source port zero packet from ' 13 | - op: contains 14 | path: event/COMMAND_LINE 15 | value: ' denied AXFR from ' 16 | - op: contains 17 | path: event/COMMAND_LINE 18 | value: ' exiting (due to fatal error)' 19 | respond: 20 | - action: report 21 | metadata: 22 | author: Florian Roth 23 | description: Detects suspicious DNS error messages that indicate a fatal or suspicious 24 | error that could be caused by exploiting attempts 25 | level: high 26 | references: 27 | - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml 28 | name: Suspicious Named Error 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_GPO_scheduledtasks.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '5145' 9 | - case sensitive: false 10 | op: matches 11 | path: Event/EventData/ShareName 12 | re: \\.*\\SYSVOL 13 | - case sensitive: false 14 | op: ends with 15 | path: Event/EventData/RelativeTargetName 16 | value: ScheduledTasks.xml 17 | - case sensitive: false 18 | op: contains 19 | path: Event/EventData/Accesses 20 | value: WriteData 21 | target: log 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Samir Bousseaden 26 | description: Detect lateral movement using GPO scheduled task, ususally used to 27 | deploy ransomware at scale 28 | level: high 29 | references: 30 | - https://twitter.com/menasec1/status/1106899890377052160 31 | tags: 32 | - attack.persistence 33 | - attack.lateral_movement 34 | - attack.t1053 35 | name: Persistence and Execution at scale via GPO scheduled task 36 | 37 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_account_backdoor_dcsync_rights.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '5136' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/LDAPDisplayName 12 | value: ntSecurityDescriptor 13 | - op: or 14 | rules: 15 | - case sensitive: false 16 | op: contains 17 | path: Event/EventData/Value 18 | value: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 19 | - case sensitive: false 20 | op: contains 21 | path: Event/EventData/Value 22 | value: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Samir Bousseaden 28 | description: backdooring domain object to grant the rights associated with DCSync 29 | to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync 30 | Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer 31 | level: critical 32 | references: 33 | - https://twitter.com/menasec1/status/1111556090137903104 34 | - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf 35 | tags: 36 | - attack.credential_access 37 | - attack.persistence 38 | name: Powerview Add-DomainObjectAcl DCSync AD Extend Right 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_admin_rdp_login.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4624' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/LogonType 12 | value: '10' 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/AuthenticationPackageName 16 | value: Negotiate 17 | - case sensitive: false 18 | op: starts with 19 | path: Event/EventData/AccountName 20 | value: Admin- 21 | target: log 22 | respond: 23 | - action: report 24 | metadata: 25 | author: juju4 26 | description: Detect remote login by Administrator user depending on internal pattern 27 | level: low 28 | references: 29 | - https://car.mitre.org/wiki/CAR-2016-04-005 30 | tags: 31 | - attack.lateral_movement 32 | - attack.t1078 33 | - car.2016-04-005 34 | name: Admin User Remote Logon 35 | 36 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_admin_share_access.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '5140' 11 | - case sensitive: false 12 | op: is 13 | path: Event/EventData/ShareName 14 | value: Admin$ 15 | - case sensitive: false 16 | not: true 17 | op: ends with 18 | path: Event/EventData/SubjectUserName 19 | value: $ 20 | target: log 21 | respond: 22 | - action: report 23 | metadata: 24 | author: Florian Roth 25 | description: Detects access to $ADMIN share 26 | level: low 27 | tags: 28 | - attack.lateral_movement 29 | - attack.t1077 30 | name: Access to ADMIN$ Share 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_alert_lsass_access.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '1121' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/Path 12 | value: \lsass.exe 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Markus Neis 18 | description: Detects Access to LSASS Process 19 | level: high 20 | references: 21 | - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter 22 | tags: 23 | - attack.credential_access 24 | - attack.t1003 25 | name: LSASS Access Detected via Attack Surface Reduction 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_alert_ruler.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: or 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '4776' 11 | - case sensitive: false 12 | op: is 13 | path: Event/EventData/Workstation 14 | value: RULER 15 | - op: and 16 | rules: 17 | - op: or 18 | rules: 19 | - case sensitive: false 20 | op: is 21 | path: Event/System/EventID 22 | value: '4624' 23 | - case sensitive: false 24 | op: is 25 | path: Event/System/EventID 26 | value: '4625' 27 | - case sensitive: false 28 | op: is 29 | path: Event/EventData/WorkstationName 30 | value: RULER 31 | target: log 32 | respond: 33 | - action: report 34 | metadata: 35 | author: Florian Roth 36 | description: This events that are generated when using the hacktool Ruler by Sensepost 37 | level: high 38 | references: 39 | - https://github.com/sensepost/ruler 40 | - https://github.com/sensepost/ruler/issues/47 41 | - https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427 42 | - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 43 | - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 44 | tags: 45 | - attack.discovery 46 | - attack.execution 47 | - attack.t1087 48 | - attack.t1075 49 | - attack.t1114 50 | - attack.t1059 51 | name: Hacktool Ruler 52 | 53 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_atsvc_task.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '5145' 9 | - case sensitive: false 10 | op: matches 11 | path: Event/EventData/ShareName 12 | re: \\.*\\IPC\$ 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/RelativeTargetName 16 | value: atsvc 17 | - case sensitive: false 18 | op: contains 19 | path: Event/EventData/Accesses 20 | value: WriteData 21 | target: log 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Samir Bousseaden 26 | description: Detects remote task creation via at.exe or API interacting with ATSVC 27 | namedpipe 28 | level: medium 29 | references: 30 | - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html 31 | tags: 32 | - attack.lateral_movement 33 | - attack.persistence 34 | - attack.t1053 35 | - car.2013-05-004 36 | - car.2015-04-001 37 | name: Remote Task Creation via ATSVC named pipe 38 | 39 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_dcsync.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - op: and 8 | rules: 9 | - case sensitive: false 10 | op: is 11 | path: Event/System/EventID 12 | value: '4662' 13 | - op: or 14 | rules: 15 | - case sensitive: false 16 | op: contains 17 | path: Event/EventData/Properties 18 | value: Replicating Directory Changes All 19 | - case sensitive: false 20 | op: contains 21 | path: Event/EventData/Properties 22 | value: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 23 | - case sensitive: false 24 | not: true 25 | op: is 26 | path: Event/EventData/SubjectDomainName 27 | value: Window Manager 28 | - not: true 29 | op: or 30 | rules: 31 | - case sensitive: false 32 | op: starts with 33 | path: Event/EventData/SubjectUserName 34 | value: NT AUTHORITY 35 | - case sensitive: false 36 | op: ends with 37 | path: Event/EventData/SubjectUserName 38 | value: $ 39 | target: log 40 | respond: 41 | - action: report 42 | metadata: 43 | author: Benjamin Delpy, Florian Roth 44 | description: Detects Mimikatz DC sync security events 45 | level: high 46 | references: 47 | - https://twitter.com/gentilkiwi/status/1003236624925413376 48 | - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 49 | tags: 50 | - attack.credential_access 51 | - attack.s0002 52 | - attack.t1003 53 | name: Mimikatz DC Sync 54 | 55 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_disable_event_logging.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4719' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/AuditPolicyChanges 12 | value: removed 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: '@neu5ron' 18 | description: 'Detects scenarios where system auditing (ie: windows event log auditing) 19 | is disabled. This may be used in a scenario where an entity would want to bypass 20 | local logging to evade detection when windows event logging is enabled and reviewed. 21 | Also, it is recommended to turn off "Local Group Policy Object Processing" via 22 | GPO, which will make sure that Active Directory GPOs take precedence over local/edited 23 | computer policies via something such as "gpedit.msc". Please note, that disabling 24 | "Local Group Policy Object Processing" may cause an issue in scenarios of one 25 | off specific GPO modifications -- however it is recommended to perform these 26 | modifications in Active Directory anyways.' 27 | level: high 28 | references: 29 | - https://bit.ly/WinLogsZero2Hero 30 | tags: 31 | - attack.defense_evasion 32 | - attack.t1054 33 | name: Disabling Windows Event Auditing 34 | 35 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_hack_smbexec.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '7045' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/ServiceName 12 | value: BTOBTO 13 | - case sensitive: false 14 | op: ends with 15 | path: Event/EventData/ServiceFileName 16 | value: \execute.bat 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Omer Faruk Celik 22 | description: Detects the use of smbexec.py tool by detecting a specific service 23 | installation 24 | level: critical 25 | references: 26 | - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ 27 | tags: 28 | - attack.lateral_movement 29 | - attack.execution 30 | - attack.t1077 31 | - attack.t1035 32 | name: smbexec.py Service Installation 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_impacket_secretdump.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '5145' 9 | - case sensitive: false 10 | op: matches 11 | path: Event/EventData/ShareName 12 | re: \\.*\\ADMIN\$ 13 | - case sensitive: false 14 | op: matches 15 | path: Event/EventData/RelativeTargetName 16 | re: SYSTEM32\\.*\.tmp 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Samir Bousseaden 22 | description: Detect AD credential dumping using impacket secretdump HKTL 23 | level: high 24 | references: 25 | - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html 26 | tags: 27 | - attack.credential_access 28 | - attack.t1003 29 | name: Possible Impacket SecretDump remote activity 30 | 31 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_mal_wceaux_dll.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '4656' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '4658' 15 | - case sensitive: false 16 | op: is 17 | path: Event/System/EventID 18 | value: '4660' 19 | - case sensitive: false 20 | op: is 21 | path: Event/System/EventID 22 | value: '4663' 23 | - case sensitive: false 24 | op: ends with 25 | path: Event/EventData/ObjectName 26 | value: \wceaux.dll 27 | target: log 28 | respond: 29 | - action: report 30 | metadata: 31 | author: Thomas Patzke 32 | description: Detects wceaux.dll access while WCE pass-the-hash remote command 33 | execution on source host 34 | level: critical 35 | references: 36 | - https://www.jpcert.or.jp/english/pub/sr/ir_research.html 37 | - https://jpcertcc.github.io/ToolAnalysisResultSheet 38 | tags: 39 | - attack.credential_access 40 | - attack.t1003 41 | - attack.s0005 42 | name: WCE wceaux.dll Access 43 | 44 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_overpass_the_hash.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4624' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/LogonType 12 | value: '9' 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/LogonProcessName 16 | value: seclogo 17 | - case sensitive: false 18 | op: is 19 | path: Event/EventData/AuthenticationPackageName 20 | value: Negotiate 21 | target: log 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Roberto Rodriguez (source), Dominik Schaudel (rule) 26 | description: Detects successful logon with logon type 9 (NewCredentials) which 27 | matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. 28 | level: high 29 | references: 30 | - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html 31 | tags: 32 | - attack.lateral_movement 33 | - attack.t1075 34 | - attack.s0002 35 | name: Successful Overpass the Hash Attempt 36 | 37 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_pass_the_hash.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/EventData/LogonType 10 | value: '3' 11 | - case sensitive: false 12 | op: is 13 | path: Event/EventData/LogonProcessName 14 | value: NtLmSsp 15 | - case sensitive: false 16 | op: is 17 | path: Event/EventData/WorkstationName 18 | value: '%Workstations%' 19 | - case sensitive: false 20 | op: is 21 | path: Event/EventData/ComputerName 22 | value: '%Workstations%' 23 | - op: or 24 | rules: 25 | - case sensitive: false 26 | op: is 27 | path: Event/System/EventID 28 | value: '4624' 29 | - case sensitive: false 30 | op: is 31 | path: Event/System/EventID 32 | value: '4625' 33 | - case sensitive: false 34 | not: true 35 | op: is 36 | path: Event/EventData/AccountName 37 | value: ANONYMOUS LOGON 38 | target: log 39 | respond: 40 | - action: report 41 | metadata: 42 | author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA 43 | (method) 44 | description: Detects the attack technique pass the hash which is used to move 45 | laterally inside the network 46 | level: medium 47 | references: 48 | - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events 49 | tags: 50 | - attack.lateral_movement 51 | - attack.t1075 52 | - car.2016-04-004 53 | name: Pass the Hash Activity 54 | 55 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_rare_schtasks_creations.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | case sensitive: false 3 | log type: wel 4 | op: is 5 | path: Event/System/EventID 6 | target: log 7 | value: '4698' 8 | respond: 9 | - action: report 10 | metadata: 11 | author: Florian Roth 12 | description: Detects rare scheduled tasks creations that only appear a few times 13 | per time frame and could reveal password dumpers, backdoor installs or other 14 | types of malicious code 15 | level: low 16 | tags: 17 | - attack.execution 18 | - attack.privilege_escalation 19 | - attack.persistence 20 | - attack.t1053 21 | - car.2013-08-001 22 | name: Rare Schtasks Creations 23 | 24 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_rare_service_installs.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | case sensitive: false 3 | log type: wel 4 | op: is 5 | path: Event/System/EventID 6 | target: log 7 | value: '7045' 8 | respond: 9 | - action: report 10 | metadata: 11 | author: Florian Roth 12 | description: Detects rare service installs that only appear a few times per time 13 | frame and could reveal password dumpers, backdoor installs or other types of 14 | malicious services 15 | level: low 16 | tags: 17 | - attack.persistence 18 | - attack.privilege_escalation 19 | - attack.t1050 20 | - car.2013-09-005 21 | name: Rare Service Installs 22 | 23 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_rdp_bluekeep_poc_scanner.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4625' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/AccountName 12 | value: AAAAAAA 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth (rule), Adam Bradbury (idea) 18 | description: Detects the use of a scanner by zerosum0x0 that discovers targets 19 | vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep 20 | level: critical 21 | references: 22 | - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 23 | - https://github.com/zerosum0x0/CVE-2019-0708 24 | tags: 25 | - attack.lateral_movement 26 | - attack.t1210 27 | - car.2013-07-002 28 | name: Scanner PoC for CVE-2019-0708 RDP RCE vuln 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_rdp_localhost_login.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4624' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/LogonType 12 | value: '10' 13 | - op: or 14 | rules: 15 | - case sensitive: false 16 | op: is 17 | path: Event/EventData/SourceNetworkAddress 18 | value: ::1 19 | - case sensitive: false 20 | op: is 21 | path: Event/EventData/SourceNetworkAddress 22 | value: 127.0.0.1 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Thomas Patzke 28 | description: RDP login with localhost source address may be a tunnelled login 29 | level: high 30 | references: 31 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html 32 | tags: 33 | - attack.lateral_movement 34 | - attack.t1076 35 | - car.2013-07-002 36 | name: RDP Login from localhost 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_rdp_potential_cve-2019-0708.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '56' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '50' 15 | - case sensitive: false 16 | op: is 17 | path: Event/EventData/Source 18 | value: TermDD 19 | target: log 20 | respond: 21 | - action: report 22 | metadata: 23 | author: Lionel PRAT, Christophe BROCAS, @atc_project (improvements) 24 | description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 25 | level: high 26 | references: 27 | - https://github.com/zerosum0x0/CVE-2019-0708 28 | - https://github.com/Ekultek/BlueKeep 29 | tags: 30 | - attack.initial_access 31 | - attack.lateral_movement 32 | - attack.t1210 33 | - attack.t1190 34 | - car.2013-07-002 35 | name: Potential RDP exploit CVE-2019-0708 36 | 37 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_add_sid_history.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: or 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '4765' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '4766' 15 | - op: and 16 | rules: 17 | - case sensitive: false 18 | op: is 19 | path: Event/System/EventID 20 | value: '4738' 21 | - not: true 22 | op: or 23 | rules: 24 | - case sensitive: false 25 | op: is 26 | path: Event/EventData/SidHistory 27 | value: '-' 28 | - case sensitive: false 29 | op: is 30 | path: Event/EventData/SidHistory 31 | value: '%%1793' 32 | target: log 33 | respond: 34 | - action: report 35 | metadata: 36 | author: Thomas Patzke, @atc_project (improvements) 37 | description: An attacker can use the SID history attribute to gain additional 38 | privileges. 39 | level: medium 40 | references: 41 | - https://adsecurity.org/?p=1772 42 | tags: 43 | - attack.persistence 44 | - attack.privilege_escalation 45 | - attack.t1178 46 | name: Addition of SID History to Active Directory Object 47 | 48 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_backup_delete.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '524' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/Source 12 | value: Backup 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 18 | description: Detects backup catalog deletions 19 | level: medium 20 | references: 21 | - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx 22 | - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 23 | tags: 24 | - attack.defense_evasion 25 | - attack.t1107 26 | name: Backup Catalog Deleted 27 | 28 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_dhcp_config.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | case sensitive: false 3 | log type: wel 4 | op: is 5 | path: Event/System/EventID 6 | target: log 7 | value: '1033' 8 | respond: 9 | - action: report 10 | metadata: 11 | author: Dimitrios Slamaris 12 | description: This rule detects a DHCP server in which a specified Callout DLL 13 | (in registry) was loaded 14 | level: critical 15 | references: 16 | - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html 17 | - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx 18 | - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx 19 | tags: 20 | - attack.defense_evasion 21 | - attack.t1073 22 | name: DHCP Server Loaded the CallOut DLL 23 | 24 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_dhcp_config_failed.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '1031' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '1032' 15 | - case sensitive: false 16 | op: is 17 | path: Event/System/EventID 18 | value: '1034' 19 | - case sensitive: false 20 | op: is 21 | path: Event/EventData/Source 22 | value: Microsoft-Windows-DHCP-Server 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Dimitrios Slamaris, @atc_project (fix) 28 | description: This rule detects a DHCP server error in which a specified Callout 29 | DLL (in registry) could not be loaded 30 | level: critical 31 | references: 32 | - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html 33 | - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx 34 | - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx 35 | tags: 36 | - attack.defense_evasion 37 | - attack.t1073 38 | name: DHCP Server Error Failed Loading the CallOut DLL 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_dns_config.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: or 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '150' 9 | - case sensitive: false 10 | op: is 11 | path: Event/System/EventID 12 | value: '770' 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth 18 | description: This rule detects a DNS server error in which a specified plugin 19 | DLL (in registry) could not be loaded 20 | level: critical 21 | references: 22 | - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 23 | - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx 24 | - https://twitter.com/gentilkiwi/status/861641945944391680 25 | tags: 26 | - attack.defense_evasion 27 | - attack.t1073 28 | name: DNS Server Error Failed Loading the ServerLevelPluginDLL 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_dsrm_password_change.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | case sensitive: false 3 | log type: wel 4 | op: is 5 | path: Event/System/EventID 6 | target: log 7 | value: '4794' 8 | respond: 9 | - action: report 10 | metadata: 11 | author: Thomas Patzke 12 | description: The Directory Service Restore Mode (DSRM) account is a local administrator 13 | account on Domain Controllers. Attackers may change the password to gain persistence. 14 | level: high 15 | references: 16 | - https://adsecurity.org/?p=1714 17 | tags: 18 | - attack.persistence 19 | - attack.privilege_escalation 20 | - attack.t1098 21 | name: Password Change on Directory Service Restore Mode (DSRM) Account 22 | 23 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_eventlog_cleared.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '104' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/Source 12 | value: Microsoft-Windows-Eventlog 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth 18 | description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil 19 | cl" command execution 20 | level: medium 21 | references: 22 | - https://twitter.com/deviouspolack/status/832535435960209408 23 | - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 24 | tags: 25 | - attack.defense_evasion 26 | - attack.t1070 27 | - car.2016-04-002 28 | name: Eventlog Cleared 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_failed_logons_single_source.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '529' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '4625' 15 | - case sensitive: false 16 | op: ends with 17 | path: Event/EventData/UserName 18 | value: '' 19 | - case sensitive: false 20 | op: ends with 21 | path: Event/EventData/WorkstationName 22 | value: '' 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Florian Roth 28 | description: Detects suspicious failed logins with different user accounts from 29 | a single source system 30 | level: medium 31 | tags: 32 | - attack.persistence 33 | - attack.privilege_escalation 34 | - attack.t1078 35 | name: Multiple Failed Logins with Different Accounts from Single Source System 36 | 37 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_lsass_dump.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4656' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/ProcessName 12 | value: C:\Windows\System32\lsass.exe 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/AccessMask 16 | value: '0x705' 17 | - case sensitive: false 18 | op: is 19 | path: Event/EventData/ObjectType 20 | value: SAM_DOMAIN 21 | target: log 22 | respond: 23 | - action: report 24 | metadata: 25 | description: Detects process handle on LSASS process with certain access mask 26 | and object type SAM_DOMAIN 27 | level: high 28 | references: 29 | - https://twitter.com/jackcr/status/807385668833968128 30 | tags: 31 | - attack.credential_access 32 | - attack.t1003 33 | name: Password Dumper Activity on LSASS 34 | 35 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_net_recon_activity.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4661' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/AccessMask 12 | value: '0x2d' 13 | - op: or 14 | rules: 15 | - op: and 16 | rules: 17 | - case sensitive: false 18 | op: is 19 | path: Event/EventData/ObjectType 20 | value: SAM_USER 21 | - case sensitive: false 22 | op: matches 23 | path: Event/EventData/ObjectName 24 | re: S\-1\-5\-21\-.*\-500 25 | - op: and 26 | rules: 27 | - case sensitive: false 28 | op: is 29 | path: Event/EventData/ObjectType 30 | value: SAM_GROUP 31 | - case sensitive: false 32 | op: matches 33 | path: Event/EventData/ObjectName 34 | re: S\-1\-5\-21\-.*\-512 35 | target: log 36 | respond: 37 | - action: report 38 | metadata: 39 | author: Florian Roth (rule), Jack Croock (method) 40 | description: Detects activity as "net user administrator /domain" and "net group 41 | domain admins /domain" 42 | level: high 43 | references: 44 | - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html 45 | tags: 46 | - attack.discovery 47 | - attack.t1087 48 | - attack.t1069 49 | - attack.s0039 50 | name: Reconnaissance Activity 51 | 52 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_ntlm_auth.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '8002' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/CallingProcessName 12 | value: '' 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth 18 | description: Detects logons using NTLM, which could be caused by a legacy source 19 | or attackers 20 | level: low 21 | references: 22 | - https://twitter.com/JohnLaTwC/status/1004895028995477505 23 | - https://goo.gl/PsqrhT 24 | tags: 25 | - attack.lateral_movement 26 | - attack.t1075 27 | name: NTLM Logon 28 | 29 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_rc4_kerberos.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '4769' 11 | - case sensitive: false 12 | op: is 13 | path: Event/EventData/TicketOptions 14 | value: '0x40810000' 15 | - case sensitive: false 16 | op: is 17 | path: Event/EventData/TicketEncryptionType 18 | value: '0x17' 19 | - case sensitive: false 20 | not: true 21 | op: starts with 22 | path: Event/EventData/ServiceName 23 | value: $ 24 | target: log 25 | respond: 26 | - action: report 27 | metadata: 28 | description: Detects service ticket requests using RC4 encryption type 29 | level: medium 30 | references: 31 | - https://adsecurity.org/?p=3458 32 | - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity 33 | tags: 34 | - attack.credential_access 35 | - attack.t1208 36 | name: Suspicious Kerberos RC4 Ticket Encryption 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_samr_pwset.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4738' 9 | - not: false 10 | op: exists 11 | path: Event/EventData/PasswordLastSet 12 | target: log 13 | respond: 14 | - action: report 15 | metadata: 16 | author: Dimitrios Slamaris 17 | description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() 18 | or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit 19 | Policy Configuration" has to be enabled in your local security policy / GPO 20 | to see this events. 21 | level: medium 22 | tags: 23 | - attack.credential_access 24 | - attack.t1212 25 | name: Possible Remote Password Change Through SAMR 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_sdelete.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '4656' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '4663' 15 | - case sensitive: false 16 | op: is 17 | path: Event/System/EventID 18 | value: '4658' 19 | - op: or 20 | rules: 21 | - case sensitive: false 22 | op: ends with 23 | path: Event/EventData/ObjectName 24 | value: .AAA 25 | - case sensitive: false 26 | op: ends with 27 | path: Event/EventData/ObjectName 28 | value: .ZZZ 29 | target: log 30 | respond: 31 | - action: report 32 | metadata: 33 | author: Thomas Patzke 34 | description: Detects renaming of file while deletion with SDelete tool 35 | level: medium 36 | references: 37 | - https://jpcertcc.github.io/ToolAnalysisResultSheet 38 | - https://www.jpcert.or.jp/english/pub/sr/ir_research.html 39 | - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx 40 | tags: 41 | - attack.defense_evasion 42 | - attack.t1107 43 | - attack.t1066 44 | - attack.s0195 45 | name: Secure Deletion with SDelete 46 | 47 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_security_eventlog_cleared.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: or 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '517' 9 | - case sensitive: false 10 | op: is 11 | path: Event/System/EventID 12 | value: '1102' 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth 18 | description: Some threat groups tend to delete the local 'Security' Eventlog using 19 | certain utitlities 20 | level: high 21 | tags: 22 | - attack.defense_evasion 23 | - attack.t1070 24 | - car.2016-04-002 25 | name: Security Eventlog Cleared 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_susp_time_modification.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '4616' 9 | - not: true 10 | op: or 11 | rules: 12 | - op: or 13 | rules: 14 | - case sensitive: false 15 | op: is 16 | path: Event/EventData/ProcessName 17 | value: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 18 | - case sensitive: false 19 | op: is 20 | path: Event/EventData/ProcessName 21 | value: C:\Windows\System32\VBoxService.exe 22 | - op: and 23 | rules: 24 | - case sensitive: false 25 | op: is 26 | path: Event/EventData/ProcessName 27 | value: C:\Windows\System32\svchost.exe 28 | - case sensitive: false 29 | op: is 30 | path: Event/EventData/SubjectUserSid 31 | value: S-1-5-19 32 | target: log 33 | respond: 34 | - action: report 35 | metadata: 36 | author: '@neu5ron' 37 | description: Detect scenarios where a potentially unauthorized application or 38 | user is modifying the system time. 39 | level: high 40 | references: 41 | - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) 42 | - Live environment caused by malware 43 | tags: 44 | - attack.defense_evasion 45 | - attack.t1099 46 | name: Unauthorized System Time Modification 47 | 48 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_svcctl_remote_service.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '5145' 9 | - case sensitive: false 10 | op: matches 11 | path: Event/EventData/ShareName 12 | re: \\.*\\IPC\$ 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/RelativeTargetName 16 | value: svcctl 17 | - case sensitive: false 18 | op: contains 19 | path: Event/EventData/Accesses 20 | value: WriteData 21 | target: log 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Samir Bousseaden 26 | description: Detects remote remote service activity via remote access to the svcctl 27 | named pipe 28 | level: medium 29 | references: 30 | - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html 31 | tags: 32 | - attack.lateral_movement 33 | - attack.persistence 34 | name: Remote Service Activity Detected via SVCCTL named pipe 35 | 36 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_usb_device_plugged.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: or 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '2003' 9 | - case sensitive: false 10 | op: is 11 | path: Event/System/EventID 12 | value: '2100' 13 | - case sensitive: false 14 | op: is 15 | path: Event/System/EventID 16 | value: '2102' 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects plugged USB devices 23 | level: low 24 | references: 25 | - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ 26 | - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ 27 | tags: 28 | - attack.initial_access 29 | - attack.t1200 30 | name: USB Device Plugged 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_user_added_to_local_administrators.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '4732' 11 | - op: or 12 | rules: 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/GroupName 16 | value: Administrators 17 | - case sensitive: false 18 | op: is 19 | path: Event/EventData/GroupSid 20 | value: S-1-5-32-544 21 | - case sensitive: false 22 | not: true 23 | op: ends with 24 | path: Event/EventData/SubjectUserName 25 | value: $ 26 | target: log 27 | respond: 28 | - action: report 29 | metadata: 30 | author: Florian Roth 31 | description: This rule triggers on user accounts that are added to the local Administrators 32 | group, which could be legitimate activity or a sign of privilege escalation 33 | activity 34 | level: medium 35 | tags: 36 | - attack.privilege_escalation 37 | - attack.t1078 38 | name: User Added to Local Administrators 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_builtin/win_user_creation.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | case sensitive: false 3 | log type: wel 4 | op: is 5 | path: Event/System/EventID 6 | target: log 7 | value: '4720' 8 | respond: 9 | - action: report 10 | metadata: 11 | author: Patrick Bareiss 12 | description: Detects local user creation on windows servers, which shouldn't happen 13 | in an Active Directory environment. Apply this Sigma Use Case on your windows 14 | server logs and not on your DC logs. 15 | level: low 16 | references: 17 | - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ 18 | tags: 19 | - attack.persistence 20 | - attack.t1136 21 | name: Detects local user creation 22 | 23 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_malware/win_mal_ryuk.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: '\net.exe stop "samss" ' 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: '\net.exe stop "audioendpointbuilder" ' 18 | - case sensitive: false 19 | op: matches 20 | path: event/COMMAND_LINE 21 | re: .*\\net\.exe\ stop\ "unistoresvc_....."\ .* 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Vasiliy Burov 26 | description: Detects Ryuk Ransomware command lines 27 | level: critical 28 | references: 29 | - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ 30 | name: Ryuk Ransomware 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_malware/win_mal_ursnif.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - case sensitive: false 10 | op: contains 11 | path: Event/EventData/TargetObject 12 | value: \Software\AppDataLow\Software\Microsoft\ 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: megan201296 18 | description: Detects new registry key created by Ursnif malware. 19 | level: critical 20 | references: 21 | - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ 22 | - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ 23 | tags: 24 | - attack.execution 25 | - attack.t1112 26 | name: Ursnif 27 | 28 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_other/win_rare_schtask_creation.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | case sensitive: false 3 | log type: wel 4 | op: is 5 | path: Event/System/EventID 6 | target: log 7 | value: '106' 8 | respond: 9 | - action: report 10 | metadata: 11 | author: Florian Roth 12 | description: This rule detects rare scheduled task creations. Typically software 13 | gets installed on multiple systems and not only on a few. The aggregation and 14 | count function selects tasks with rare names. 15 | level: low 16 | tags: 17 | - attack.persistence 18 | - attack.t1053 19 | - attack.s0111 20 | name: Rare Scheduled Task Creations 21 | 22 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/powershell_xor_commandline.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: ' -bxor' 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Sami Ruohonen 16 | description: Detects suspicious powershell process which includes bxor command, 17 | alternatvide obfuscation method to b64 encoded commands. 18 | level: medium 19 | tags: 20 | - attack.execution 21 | - attack.t1086 22 | name: Suspicious XOR Encoded PowerShell Command Line 23 | 24 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_apt_bluemashroom.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: .*\\regsvr32.*\\AppData\\Local\\.* 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: .*\\AppData\\Local\\.*,DllEntry.* 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects a suspicious DLL loading from AppData Local path as described 23 | in BlueMashroom report 24 | level: critical 25 | references: 26 | - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software 27 | tags: 28 | - attack.defense_evasion 29 | - attack.t1117 30 | name: BlueMashroom DLL Load 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_attrib_hiding_files.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \attrib.exe 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: ' +h ' 20 | - not: true 21 | op: or 22 | rules: 23 | - case sensitive: false 24 | op: contains 25 | path: event/COMMAND_LINE 26 | value: '\desktop.ini ' 27 | - op: and 28 | rules: 29 | - case sensitive: false 30 | op: ends with 31 | path: event/PARENT/FILE_PATH 32 | value: \cmd.exe 33 | - case sensitive: false 34 | op: matches 35 | path: event/COMMAND_LINE 36 | re: \+R\ \+H\ \+S\ \+A\ \\.*\.cui 37 | - case sensitive: false 38 | op: matches 39 | path: event/PARENT/COMMAND_LINE 40 | re: C:\\WINDOWS\\system32\\.*\.bat 41 | respond: 42 | - action: report 43 | metadata: 44 | author: Sami Ruohonen 45 | description: Detects usage of attrib.exe to hide files from users. 46 | level: low 47 | tags: 48 | - attack.defense_evasion 49 | - attack.persistence 50 | - attack.t1158 51 | name: Hiding files with attrib.exe 52 | 53 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_cmdkey_recon.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \cmdkey.exe 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: ' /list ' 18 | respond: 19 | - action: report 20 | metadata: 21 | author: jmallette 22 | description: Detects usage of cmdkey to look for cached credentials 23 | level: low 24 | references: 25 | - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation 26 | - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx 27 | tags: 28 | - attack.credential_access 29 | - attack.t1003 30 | name: Cmdkey Cached Credentials Recon 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_cmstp_com_object_access.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/COMMAND_LINE 13 | value: \DllHost.exe 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: ends with 18 | path: event/PARENT/COMMAND_LINE 19 | value: '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' 20 | - case sensitive: false 21 | op: ends with 22 | path: event/PARENT/COMMAND_LINE 23 | value: '{3E000D72-A845-4CD9-BD83-80C07C3B881F}' 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Nik Seetharaman 28 | description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile 29 | Installer Autoelevate-capable COM Objects 30 | level: high 31 | references: 32 | - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ 33 | - https://twitter.com/hFireF0X/status/897640081053364225 34 | tags: 35 | - attack.defense_evasion 36 | - attack.privilege_escalation 37 | - attack.execution 38 | - attack.t1088 39 | - attack.t1191 40 | - attack.g0069 41 | - car.2019-04-001 42 | name: CMSTP UAC Bypass via COM Object Access 43 | 44 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_control_panel_item.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/COMMAND_LINE 13 | value: .cpl 14 | - not: true 15 | op: or 16 | rules: 17 | - case sensitive: false 18 | op: contains 19 | path: event/COMMAND_LINE 20 | value: \System32\ 21 | - case sensitive: false 22 | op: contains 23 | path: event/COMMAND_LINE 24 | value: '%System%' 25 | respond: 26 | - action: report 27 | metadata: 28 | author: Kyaw Min Thein 29 | description: Detects the use of a control panel item (.cpl) outside of the System32 30 | folder 31 | level: critical 32 | tags: 33 | - attack.execution 34 | - attack.t1196 35 | - attack.defense_evasion 36 | name: Control Panel Items 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_encoded_frombase64string.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: OjpGcm9tQmFzZTY0U3RyaW5n 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: o6RnJvbUJhc2U2NFN0cmluZ 18 | - case sensitive: false 19 | op: contains 20 | path: event/COMMAND_LINE 21 | value: 6OkZyb21CYXNlNjRTdHJpbm 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Florian Roth 26 | description: Detects a base64 encoded FromBase64String keyword in a process command 27 | line 28 | level: critical 29 | tags: 30 | - attack.t1086 31 | - attack.t1140 32 | - attack.execution 33 | - attack.defense_evasion 34 | name: Encoded FromBase64String 35 | 36 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_etw_trace_evasion.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: .*\ cl\ .*/Trace.* 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: .*\ clear\-log\ .*/Trace.* 18 | - case sensitive: false 19 | op: matches 20 | path: event/COMMAND_LINE 21 | re: .*\ sl.*\ /e:false.* 22 | - case sensitive: false 23 | op: matches 24 | path: event/COMMAND_LINE 25 | re: .*\ set\-log.*\ /e:false.* 26 | respond: 27 | - action: report 28 | metadata: 29 | author: '@neu5ron, Florian Roth' 30 | description: Detects a command that clears or disables any ETW trace log which 31 | could indicate a logging evasion. 32 | level: high 33 | references: 34 | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil 35 | - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml 36 | - https://abuse.io/lockergoga.txt 37 | tags: 38 | - attack.execution 39 | - attack.t1070 40 | - car.2016-04-002 41 | name: Disable of ETW Trace 42 | 43 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_exploit_cve_2015_1641.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \WINWORD.EXE 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: '\MicroScMgmt.exe ' 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects Winword starting uncommon sub process MicroScMgmt.exe as 23 | used in exploits for CVE-2015-1641 24 | level: critical 25 | references: 26 | - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ 27 | - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 28 | tags: 29 | - attack.defense_evasion 30 | - attack.t1036 31 | name: Exploit for CVE-2015-1641 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_exploit_cve_2017_0261.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \WINWORD.EXE 14 | - case sensitive: false 15 | op: contains 16 | path: event/FILE_PATH 17 | value: \FLTLDR.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects Winword starting uncommon sub process FLTLDR.exe as used 23 | in exploits for CVE-2017-0261 and CVE-2017-0262 24 | level: medium 25 | references: 26 | - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html 27 | tags: 28 | - attack.defense_evasion 29 | - attack.privilege_escalation 30 | - attack.t1055 31 | name: Exploit for CVE-2017-0261 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_exploit_cve_2017_11882.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: ends with 10 | path: event/PARENT/FILE_PATH 11 | value: \EQNEDT32.EXE 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and 17 | other sub processes like mshta.exe 18 | level: critical 19 | references: 20 | - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 21 | - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw 22 | tags: 23 | - attack.defense_evasion 24 | - attack.t1211 25 | name: Droppers exploiting CVE-2017-11882 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_exploit_cve_2017_8759.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \WINWORD.EXE 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: \csc.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects Winword starting uncommon sub process csc.exe as used in 23 | exploits for CVE-2017-8759 24 | level: critical 25 | references: 26 | - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 27 | - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 28 | tags: 29 | - attack.execution 30 | - attack.t1203 31 | name: Exploit for CVE-2017-8759 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_hwp_exploits.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \Hwp.exe 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: \gbb.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects suspicious Hangul Word Processor (Hanword) sub processes 23 | that could indicate an exploitation 24 | level: high 25 | references: 26 | - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/ 27 | - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 28 | - https://twitter.com/cyberwar_15/status/1187287262054076416 29 | - https://blog.alyac.co.kr/1901 30 | - https://en.wikipedia.org/wiki/Hangul_(word_processor) 31 | tags: 32 | - attack.execution 33 | - attack.defense_evasion 34 | - attack.initial_access 35 | - attack.t1059 36 | - attack.t1202 37 | - attack.t1193 38 | - attack.g0032 39 | name: Suspicious HWP Sub Processes 40 | 41 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_lethalhta.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \svchost.exe 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: \mshta.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Markus Neis 22 | description: Detects MSHTA.EXE spwaned by SVCHOST described in report 23 | level: high 24 | references: 25 | - https://codewhitesec.blogspot.com/2018/07/lethalhta.html 26 | tags: 27 | - attack.defense_evasion 28 | - attack.execution 29 | - attack.t1170 30 | name: MSHTA spwaned by SVCHOST as seen in LethalHTA 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_malware_dridex.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: .*\\svchost\.exe\ C:\\Users\\.*\\Desktop\\.* 14 | - op: and 15 | rules: 16 | - case sensitive: false 17 | op: contains 18 | path: event/PARENT/FILE_PATH 19 | value: \svchost.exe 20 | - op: or 21 | rules: 22 | - case sensitive: false 23 | op: ends with 24 | path: event/COMMAND_LINE 25 | value: whoami.exe /all 26 | - case sensitive: false 27 | op: ends with 28 | path: event/COMMAND_LINE 29 | value: net.exe view 30 | respond: 31 | - action: report 32 | metadata: 33 | author: Florian Roth 34 | description: Detects typical Dridex process patterns 35 | level: critical 36 | references: 37 | - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 38 | tags: 39 | - attack.defense_evasion 40 | - attack.privilege_escalation 41 | - attack.t1055 42 | name: Dridex Process Pattern 43 | 44 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_malware_notpetya.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: .*\\AppData\\Local\\Temp\\.*\ \\\\\.\\pipe\\.* 14 | - op: and 15 | rules: 16 | - case sensitive: false 17 | op: ends with 18 | path: event/FILE_PATH 19 | value: \rundll32.exe 20 | - case sensitive: false 21 | op: ends with 22 | path: event/COMMAND_LINE 23 | value: .dat,#1 24 | - op: contains 25 | path: event/COMMAND_LINE 26 | value: \perfc.dat 27 | respond: 28 | - action: report 29 | metadata: 30 | author: Florian Roth, Tom Ueltschi 31 | description: Detects NotPetya ransomware activity in which the extracted passwords 32 | are passed back to the main module via named pipe, the file system journal of 33 | drive C is deleted and windows eventlogs are cleared using wevtutil 34 | level: critical 35 | references: 36 | - https://securelist.com/schroedingers-petya/78870/ 37 | - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 38 | tags: 39 | - attack.execution 40 | - attack.credential_access 41 | - attack.defense_evasion 42 | - attack.t1085 43 | - attack.t1070 44 | - attack.t1003 45 | - car.2016-04-002 46 | name: NotPetya Ransomware Activity 47 | 48 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_malware_qbot.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/PARENT/FILE_PATH 15 | value: \WinRAR.exe 16 | - case sensitive: false 17 | op: ends with 18 | path: event/FILE_PATH 19 | value: \wscript.exe 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: ' /c ping.exe -n 6 127.0.0.1 & type ' 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Florian Roth 28 | description: Detects QBot like process executions 29 | level: critical 30 | references: 31 | - https://twitter.com/killamjr/status/1179034907932315648 32 | - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ 33 | name: QBot Process Creation 34 | 35 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_mavinject_proc_inj.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: ' /INJECTRUNNING ' 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects process injection using the signed Windows tool Mavinject32.exe 17 | level: critical 18 | references: 19 | - https://twitter.com/gN3mes1s/status/941315826107510784 20 | - https://reaqta.com/2017/12/mavinject-microsoft-injector/ 21 | - https://twitter.com/Hexacorn/status/776122138063409152 22 | tags: 23 | - attack.process_injection 24 | - attack.t1055 25 | - attack.signed_binary_proxy_execution 26 | - attack.t1218 27 | name: MavInject Process Injection 28 | 29 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_netsh_fw_add.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: netsh firewall add 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Markus Neis 16 | description: Allow Incoming Connections by Port or Application on Windows Firewall 17 | level: medium 18 | references: 19 | - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) 20 | - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf 21 | tags: 22 | - attack.lateral_movement 23 | - attack.command_and_control 24 | - attack.t1090 25 | name: Netsh 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_netsh_port_fwd.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: starts with 10 | path: event/COMMAND_LINE 11 | value: 'netsh interface portproxy add v4tov4 ' 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects netsh commands that configure a port forwarding 17 | level: medium 18 | references: 19 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html 20 | tags: 21 | - attack.lateral_movement 22 | - attack.command_and_control 23 | - attack.t1090 24 | name: Netsh Port Forwarding 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_netsh_port_fwd_3389.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: matches 10 | path: event/COMMAND_LINE 11 | re: netsh\ i.*\ p.*=3389\ c.* 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects netsh commands that configure a port forwarding of port 3389 17 | used for RDP 18 | level: high 19 | references: 20 | - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html 21 | tags: 22 | - attack.lateral_movement 23 | - attack.t1021 24 | - car.2013-07-002 25 | name: Netsh RDP Port Forwarding 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_powershell_amsi_bypass.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: System.Management.Automation.AmsiUtils 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: amsiInitFailed 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Markus Neis 22 | description: Detects Request to amsiInitFailed that can be used to disable AMSI 23 | Scanning 24 | level: high 25 | references: 26 | - https://twitter.com/mattifestation/status/735261176745988096 27 | - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 28 | tags: 29 | - attack.execution 30 | - attack.defense_evasion 31 | - attack.t1086 32 | name: Powershell AMSI Bypass via .NET Reflection 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_powershell_b64_shellcode.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: AAAAYInlM 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: OiCAAAAYInlM 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: OiJAAAAYInlM 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Florian Roth 28 | description: Detects Base64 encoded Shellcode 29 | level: critical 30 | references: 31 | - https://twitter.com/cyb3rops/status/1063072865992523776 32 | tags: 33 | - attack.defense_evasion 34 | - attack.t1036 35 | name: PowerShell Base64 Encoded Shellcode 36 | 37 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_powershell_download.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \powershell.exe 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: new-object system.net.webclient).downloadstring( 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: new-object system.net.webclient).downloadfile( 24 | - case sensitive: false 25 | op: contains 26 | path: event/COMMAND_LINE 27 | value: new-object net.webclient).downloadstring( 28 | - case sensitive: false 29 | op: contains 30 | path: event/COMMAND_LINE 31 | value: new-object net.webclient).downloadfile( 32 | respond: 33 | - action: report 34 | metadata: 35 | author: Florian Roth 36 | description: Detects a Powershell process that contains download commands in its 37 | command line string 38 | level: medium 39 | tags: 40 | - attack.t1086 41 | - attack.execution 42 | name: PowerShell Download from URL 43 | 44 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_process_creation_bitsadmin_download.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \bitsadmin.exe 14 | - case sensitive: false 15 | op: is 16 | path: event/COMMAND_LINE 17 | value: /transfer 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Michael Haag 22 | description: Detects usage of bitsadmin downloading a file 23 | level: medium 24 | references: 25 | - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin 26 | - https://isc.sans.edu/diary/22264 27 | tags: 28 | - attack.defense_evasion 29 | - attack.persistence 30 | - attack.t1197 31 | - attack.s0190 32 | name: Bitsadmin Download 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_psexesvc_start.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: is 10 | path: event/COMMAND_LINE 11 | value: C:\Windows\PSEXESVC.exe 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects a PsExec service start 17 | level: low 18 | tags: 19 | - attack.execution 20 | - attack.t1035 21 | - attack.s0029 22 | name: PsExec Service Start 23 | 24 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_ransomware_shadowcopy.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: vssadmin delete shadows 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: wmic SHADOWCOPY DELETE 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects commands that delete all local volume shadow copies as used 23 | by different Ransomware families 24 | level: critical 25 | references: 26 | - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ 27 | - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 28 | name: Ransomware Deletes Volume Shadow Copies 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_sdbinst_shim_persistence.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \sdbinst.exe 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: .sdb 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Markus Neis 22 | description: Detects installation of a new shim using sdbinst.exe. A shim can 23 | be used to load malicious DLLs into applications. 24 | level: high 25 | references: 26 | - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html 27 | tags: 28 | - attack.persistence 29 | - attack.t1138 30 | name: Possible Shim Database Persistence via sdbinst.exe 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_bcdedit.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \bcdedit.exe 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: delete 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: deletevalue 24 | - case sensitive: false 25 | op: contains 26 | path: event/COMMAND_LINE 27 | value: import 28 | respond: 29 | - action: report 30 | metadata: 31 | author: '@neu5ron' 32 | description: Detects, possibly, malicious unauthorized usage of bcdedit.exe 33 | level: medium 34 | references: 35 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set 36 | tags: 37 | - attack.defense_evasion 38 | - attack.t1070 39 | - attack.persistence 40 | - attack.t1067 41 | name: Possible Ransomware or unauthorized MBR modifications 42 | 43 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_calc.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: '\calc.exe ' 14 | - op: and 15 | rules: 16 | - case sensitive: false 17 | op: ends with 18 | path: event/FILE_PATH 19 | value: \calc.exe 20 | - case sensitive: false 21 | not: true 22 | op: contains 23 | path: event/FILE_PATH 24 | value: \Windows\Sys 25 | respond: 26 | - action: report 27 | metadata: 28 | author: Florian Roth 29 | description: Detects suspicious use of calc.exe with command line parameters or 30 | in a suspicious directory, which is likely caused by some PoC or detection evasion 31 | level: high 32 | references: 33 | - https://twitter.com/ItsReallyNick/status/1094080242686312448 34 | tags: 35 | - attack.defense_evasion 36 | - attack.t1036 37 | name: Suspicious Calculator Usage 38 | 39 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_certutil_encode.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: starts with 12 | path: event/COMMAND_LINE 13 | value: 'certutil -f -encode ' 14 | - case sensitive: false 15 | op: starts with 16 | path: event/COMMAND_LINE 17 | value: 'certutil.exe -f -encode ' 18 | - case sensitive: false 19 | op: starts with 20 | path: event/COMMAND_LINE 21 | value: 'certutil -encode -f ' 22 | - case sensitive: false 23 | op: starts with 24 | path: event/COMMAND_LINE 25 | value: 'certutil.exe -encode -f ' 26 | respond: 27 | - action: report 28 | metadata: 29 | author: Florian Roth 30 | description: Detects suspicious a certutil command that used to encode files, 31 | which is sometimes used for data exfiltration 32 | level: medium 33 | references: 34 | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil 35 | - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ 36 | name: Certutil Encode 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_cli_escape.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: is 12 | path: event/COMMAND_LINE 13 | value: ^h^t^t^p 14 | - case sensitive: false 15 | op: is 16 | path: event/COMMAND_LINE 17 | value: h"t"t"p 18 | respond: 19 | - action: report 20 | metadata: 21 | author: juju4 22 | description: Detects suspicious process that use escape characters 23 | level: low 24 | references: 25 | - https://twitter.com/vysecurity/status/885545634958385153 26 | - https://twitter.com/Hexacorn/status/885553465417756673 27 | - https://twitter.com/Hexacorn/status/885570278637678592 28 | - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html 29 | - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ 30 | tags: 31 | - attack.defense_evasion 32 | - attack.t1140 33 | name: Suspicious Commandline Escape 34 | 35 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_cmd_http_appdata.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: cmd\.exe\ /c\ .*http://.*%AppData% 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: cmd\.exe\ /c\ .*https://.*%AppData% 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects a suspicious command line execution that includes an URL 23 | and AppData string in the command line parameters as used by several droppers 24 | (js/vbs > powershell) 25 | level: medium 26 | references: 27 | - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 28 | - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 29 | tags: 30 | - attack.execution 31 | - attack.t1059 32 | name: Command Line Execution with suspicious URL and AppData Strings 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_codepage_switch.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: chcp.*\ 936 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: chcp.*\ 1258 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects a code page switch in command line or batch scripts to a 23 | rare language 24 | level: medium 25 | references: 26 | - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers 27 | - https://twitter.com/cglyer/status/1183756892952248325 28 | name: Suspicious Code Page Switch 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_comsvcs_procdump.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: or 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \rundll32.exe 16 | - case sensitive: false 17 | op: ends with 18 | path: event/FILE_PATH 19 | value: RUNDLL32.EXE 20 | - op: or 21 | rules: 22 | - case sensitive: false 23 | op: matches 24 | path: event/COMMAND_LINE 25 | re: .*comsvcs.*MiniDump.*full.* 26 | - case sensitive: false 27 | op: matches 28 | path: event/COMMAND_LINE 29 | re: .*comsvcs.*MiniDumpW.*full.* 30 | respond: 31 | - action: report 32 | metadata: 33 | author: Modexp (idea) 34 | description: Detects process memory dump via comsvcs.dll and rundll32 35 | level: medium 36 | references: 37 | - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ 38 | - https://twitter.com/SBousseaden/status/1167417096374050817 39 | tags: 40 | - attack.credential_access 41 | - attack.t1003 42 | name: Process dump via comsvcs DLL 43 | 44 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_control_dll_load.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/PARENT/FILE_PATH 15 | value: \System32\control.exe 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: '\rundll32.exe ' 20 | - case sensitive: false 21 | not: true 22 | op: contains 23 | path: event/COMMAND_LINE 24 | value: Shell32.dll 25 | respond: 26 | - action: report 27 | metadata: 28 | author: Florian Roth 29 | description: Detects suspicious Rundll32 execution from control.exe as used by 30 | Equation Group and Exploit Kits 31 | level: high 32 | references: 33 | - https://twitter.com/rikvduijn/status/853251879320662017 34 | tags: 35 | - attack.defense_evasion 36 | - attack.t1073 37 | - attack.t1085 38 | - car.2013-10-002 39 | name: Suspicious Control Panel DLL Load 40 | 41 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_csc.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/FILE_PATH 13 | value: \csc.exe 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: ends with 18 | path: event/PARENT/FILE_PATH 19 | value: \wscript.exe 20 | - case sensitive: false 21 | op: ends with 22 | path: event/PARENT/FILE_PATH 23 | value: \cscript.exe 24 | - case sensitive: false 25 | op: ends with 26 | path: event/PARENT/FILE_PATH 27 | value: \mshta.exe 28 | respond: 29 | - action: report 30 | metadata: 31 | author: Florian Roth 32 | description: Detects a suspicious parent of csc.exe, which could by a sign of 33 | payload delivery 34 | level: high 35 | references: 36 | - https://twitter.com/SBousseaden/status/1094924091256176641 37 | tags: 38 | - attack.defense_evasion 39 | - attack.t1036 40 | name: Suspicious Parent of Csc.exe 41 | 42 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_csc_folder.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \csc.exe 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: \AppData\ 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: \Windows\Temp\ 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Florian Roth 28 | description: Detects a suspicious execution of csc.exe, which uses a source in 29 | a suspicious folder (e.g. AppData) 30 | level: high 31 | references: 32 | - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ 33 | - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf 34 | - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ 35 | tags: 36 | - attack.defense_evasion 37 | - attack.t1500 38 | name: Suspicious Csc.exe Source File Folder 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_eventlog_clear.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: or 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \wevtutil.exe 16 | - case sensitive: false 17 | op: ends with 18 | path: event/FILE_PATH 19 | value: wevtutil.exe 20 | - op: or 21 | rules: 22 | - case sensitive: false 23 | op: contains 24 | path: event/COMMAND_LINE 25 | value: ' cl ' 26 | - case sensitive: false 27 | op: contains 28 | path: event/COMMAND_LINE 29 | value: ' clear-log ' 30 | - case sensitive: false 31 | op: contains 32 | path: event/COMMAND_LINE 33 | value: ' sl ' 34 | - case sensitive: false 35 | op: contains 36 | path: event/COMMAND_LINE 37 | value: ' set-log ' 38 | respond: 39 | - action: report 40 | metadata: 41 | author: Ecco 42 | description: Detects clearing or configuration of eventlogs uwing wevtutil. Might 43 | be used by ransomwares during the attack (seen by NotPetya and others) 44 | level: high 45 | tags: 46 | - attack.execution 47 | - attack.t1070 48 | - car.2016-04-002 49 | name: Suspicious eventlog clear or configuration using wevtutil 50 | 51 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_execution_path_webserver.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: or 11 | rules: 12 | - case sensitive: false 13 | op: contains 14 | path: event/FILE_PATH 15 | value: \wwwroot\ 16 | - case sensitive: false 17 | op: contains 18 | path: event/FILE_PATH 19 | value: \wmpub\ 20 | - case sensitive: false 21 | op: contains 22 | path: event/FILE_PATH 23 | value: \htdocs\ 24 | - not: true 25 | op: and 26 | rules: 27 | - op: or 28 | rules: 29 | - case sensitive: false 30 | op: contains 31 | path: event/FILE_PATH 32 | value: bin\ 33 | - case sensitive: false 34 | op: contains 35 | path: event/FILE_PATH 36 | value: \Tools\ 37 | - case sensitive: false 38 | op: contains 39 | path: event/FILE_PATH 40 | value: \SMSComponent\ 41 | - case sensitive: false 42 | op: ends with 43 | path: event/PARENT/FILE_PATH 44 | value: \services.exe 45 | respond: 46 | - action: report 47 | metadata: 48 | author: Florian Roth 49 | description: Detects a suspicious program execution in a web service root folder 50 | (filter out false positives) 51 | level: medium 52 | tags: 53 | - attack.persistence 54 | - attack.t1100 55 | name: Execution in Webserver Root Folder 56 | 57 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_fsutil_usage.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: or 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \fsutil.exe 16 | - case sensitive: false 17 | op: ends with 18 | path: event/FILE_PATH 19 | value: fsutil.exe 20 | - op: or 21 | rules: 22 | - case sensitive: false 23 | op: contains 24 | path: event/COMMAND_LINE 25 | value: ' deletejournal ' 26 | - case sensitive: false 27 | op: contains 28 | path: event/COMMAND_LINE 29 | value: ' createjournal ' 30 | respond: 31 | - action: report 32 | metadata: 33 | author: Ecco 34 | description: Detects suspicious parameters of fsutil (deleting USN journal, configuring 35 | it with small size..). Might be used by ransomwares during the attack (seen 36 | by NotPetya and others) 37 | level: high 38 | references: 39 | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn 40 | name: Fsutil suspicious invocation 41 | 42 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_gup.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \GUP.exe 14 | - not: true 15 | op: or 16 | rules: 17 | - case sensitive: false 18 | op: matches 19 | path: event/FILE_PATH 20 | re: C:\\Users\\.*\\AppData\\Local\\Notepad\+\+\\updater\\gup\.exe 21 | - case sensitive: false 22 | op: matches 23 | path: event/FILE_PATH 24 | re: C:\\Users\\.*\\AppData\\Roaming\\Notepad\+\+\\updater\\gup\.exe 25 | - case sensitive: false 26 | op: is 27 | path: event/FILE_PATH 28 | value: C:\Program Files\Notepad++\updater\gup.exe 29 | - case sensitive: false 30 | op: is 31 | path: event/FILE_PATH 32 | value: C:\Program Files (x86)\Notepad++\updater\gup.exe 33 | respond: 34 | - action: report 35 | metadata: 36 | author: Florian Roth 37 | description: Detects execution of the Notepad++ updater in a suspicious directory, 38 | which is often used in DLL side-loading attacks 39 | level: high 40 | references: 41 | - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html 42 | tags: 43 | - attack.defense_evasion 44 | - attack.t1073 45 | name: Suspicious GUP Usage 46 | 47 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_iss_module_install.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: '\APPCMD.EXE install module /name:' 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects suspicious IIS native-code module installations via command 17 | line 18 | level: medium 19 | references: 20 | - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ 21 | tags: 22 | - attack.persistence 23 | - attack.t1100 24 | name: IIS Native-Code Module Command Line Installation 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_msiexec_web_install.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: matches 10 | path: event/COMMAND_LINE 11 | re: .*\ msiexec.*://.* 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects suspicious msiexec process starts with web addreses as parameter 17 | level: medium 18 | references: 19 | - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ 20 | tags: 21 | - attack.defense_evasion 22 | name: MsiExec Web Install 23 | 24 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_ntdsutil.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: \ntdsutil 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Thomas Patzke 16 | description: Detects execution of ntdsutil.exe, which can be used for various 17 | attacks against the NTDS database (NTDS.DIT) 18 | level: high 19 | references: 20 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm 21 | tags: 22 | - attack.credential_access 23 | - attack.t1003 24 | name: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_outlook.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: EnableUnsafeClientMailRules 14 | - op: and 15 | rules: 16 | - case sensitive: false 17 | op: ends with 18 | path: event/PARENT/FILE_PATH 19 | value: \outlook.exe 20 | - case sensitive: false 21 | op: matches 22 | path: event/COMMAND_LINE 23 | re: \\\\.*\\.*\.exe 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Markus Neis 28 | description: Detects EnableUnsafeClientMailRules used for Script Execution from 29 | Outlook 30 | level: high 31 | references: 32 | - https://github.com/sensepost/ruler 33 | - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html 34 | tags: 35 | - attack.execution 36 | - attack.t1059 37 | - attack.t1202 38 | name: Suspicious Execution from Outlook 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_outlook_temp.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/FILE_PATH 11 | value: \Temporary Internet Files\Content.Outlook\ 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects a suspicious program execution in Outlook temp folder 17 | level: high 18 | tags: 19 | - attack.initial_access 20 | - attack.t1193 21 | name: Execution in Outlook Temp Folder 22 | 23 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_ping_hex_ip.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: \ping.exe 0x 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: \ping 0x 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects a ping command that uses a hex encoded IP address 23 | level: high 24 | references: 25 | - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna 26 | - https://twitter.com/vysecurity/status/977198418354491392 27 | tags: 28 | - attack.defense_evasion 29 | - attack.t1140 30 | - attack.t1027 31 | name: Ping Hex IP 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_powershell_empire_launch.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: ' -NoP -sta -NonI -W Hidden -Enc ' 14 | - case sensitive: false 15 | op: contains 16 | path: event/COMMAND_LINE 17 | value: ' -noP -sta -w 1 -enc ' 18 | - case sensitive: false 19 | op: contains 20 | path: event/COMMAND_LINE 21 | value: ' -NoP -NonI -W Hidden -enc ' 22 | respond: 23 | - action: report 24 | metadata: 25 | author: Florian Roth 26 | description: Detects suspicious powershell command line parameters used in Empire 27 | level: critical 28 | references: 29 | - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165 30 | - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191 31 | - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178 32 | - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 33 | tags: 34 | - attack.execution 35 | - attack.t1086 36 | name: Empire PowerShell Launch Parameters 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_powershell_empire_uac_bypass.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows 14 | Update).Update)' 15 | - case sensitive: false 16 | op: contains 17 | path: event/COMMAND_LINE 18 | value: ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' 19 | respond: 20 | - action: report 21 | metadata: 22 | author: Ecco 23 | description: Detects some Empire PowerShell UAC bypass methods 24 | level: critical 25 | references: 26 | - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 27 | - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 28 | tags: 29 | - attack.defense_evasion 30 | - attack.privilege_escalation 31 | - attack.t1088 32 | - car.2019-04-001 33 | name: Empire PowerShell UAC Bypass 34 | 35 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_procdump.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: contains 14 | path: event/COMMAND_LINE 15 | value: ' -ma ' 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: ' lsass' 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: ' -ma ls' 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Florian Roth 28 | description: Detects suspicious uses of the SysInternals Procdump utility by using 29 | a special command line parameter in combination with the lsass.exe process. 30 | This way we're also able to catch cases in which the attacker has renamed the 31 | procdump executable. 32 | level: medium 33 | references: 34 | - Internal Research 35 | tags: 36 | - attack.defense_evasion 37 | - attack.t1036 38 | - attack.credential_access 39 | - attack.t1003 40 | - car.2013-05-009 41 | name: Suspicious Use of Procdump 42 | 43 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_prog_location_process_starts.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \$Recycle.bin 14 | - case sensitive: false 15 | op: contains 16 | path: event/FILE_PATH 17 | value: \Users\Public\ 18 | - case sensitive: false 19 | op: matches 20 | path: event/FILE_PATH 21 | re: ^(?:(?:.:)|(?:\\Device\\HarddiskVolume.))\\Perflogs\\ 22 | - case sensitive: false 23 | op: contains 24 | path: event/FILE_PATH 25 | value: \Windows\Fonts\ 26 | - case sensitive: false 27 | op: contains 28 | path: event/FILE_PATH 29 | value: \Windows\IME\ 30 | - case sensitive: false 31 | op: contains 32 | path: event/FILE_PATH 33 | value: \Windows\addins\ 34 | - case sensitive: false 35 | op: contains 36 | path: event/FILE_PATH 37 | value: \Windows\debug\ 38 | respond: 39 | - action: report 40 | metadata: 41 | author: Florian Roth 42 | description: Detects programs running in suspicious files system locations 43 | level: high 44 | references: 45 | - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo 46 | tags: 47 | - attack.defense_evasion 48 | - attack.t1036 49 | name: Suspicious Program Location Process Starts 50 | 51 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_ps_appdata.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: .*\ /c\ powershell.*\\AppData\\Local\\.* 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: .*\ /c\ powershell.*\\AppData\\Roaming\\.* 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects a suspicious command line execution that invokes PowerShell 23 | with reference to an AppData folder 24 | level: medium 25 | references: 26 | - https://twitter.com/JohnLaTwC/status/1082851155481288706 27 | - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 28 | tags: 29 | - attack.execution 30 | - attack.t1086 31 | name: PowerShell Script Run in AppData 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_rasdial_activity.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: is 10 | path: event/COMMAND_LINE 11 | value: rasdial 12 | respond: 13 | - action: report 14 | metadata: 15 | author: juju4 16 | description: Detects suspicious process related to rasdial.exe 17 | level: medium 18 | references: 19 | - https://twitter.com/subTee/status/891298217907830785 20 | tags: 21 | - attack.defense_evasion 22 | - attack.execution 23 | - attack.t1064 24 | name: Suspicious RASdial Activity 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_recon_activity.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: is 12 | path: event/COMMAND_LINE 13 | value: net group "domain admins" /domain 14 | - case sensitive: false 15 | op: is 16 | path: event/COMMAND_LINE 17 | value: net localgroup administrators 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects suspicious command line activity on Windows systems 23 | level: medium 24 | tags: 25 | - attack.discovery 26 | - attack.t1087 27 | name: Suspicious Reconnaissance Activity 28 | 29 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_rundll32_by_ordinal.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: matches 10 | path: event/COMMAND_LINE 11 | re: .*\\rundll32\.exe\ .*,\#.* 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal 17 | level: high 18 | references: 19 | - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ 20 | - https://github.com/Neo23x0/DLLRunner 21 | - https://twitter.com/cyb3rops/status/1186631731543236608 22 | tags: 23 | - attack.defense_evasion 24 | - attack.execution 25 | - attack.t1085 26 | name: Suspicious Call by Ordinal 27 | 28 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_schtask_creation.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \schtasks.exe 16 | - case sensitive: false 17 | op: contains 18 | path: event/COMMAND_LINE 19 | value: ' /create ' 20 | - case sensitive: false 21 | not: true 22 | op: is 23 | path: event/USER_NAME 24 | value: NT AUTHORITY\SYSTEM 25 | respond: 26 | - action: report 27 | metadata: 28 | author: Florian Roth 29 | description: Detects the creation of scheduled tasks in user session 30 | level: low 31 | tags: 32 | - attack.execution 33 | - attack.persistence 34 | - attack.privilege_escalation 35 | - attack.t1053 36 | - attack.s0111 37 | - car.2013-08-001 38 | name: Scheduled Task Creation 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_script_execution.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: or 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \wscript.exe 16 | - case sensitive: false 17 | op: ends with 18 | path: event/FILE_PATH 19 | value: \cscript.exe 20 | - op: or 21 | rules: 22 | - case sensitive: false 23 | op: ends with 24 | path: event/COMMAND_LINE 25 | value: .jse 26 | - case sensitive: false 27 | op: ends with 28 | path: event/COMMAND_LINE 29 | value: .vbe 30 | - case sensitive: false 31 | op: ends with 32 | path: event/COMMAND_LINE 33 | value: .js 34 | - case sensitive: false 35 | op: ends with 36 | path: event/COMMAND_LINE 37 | value: .vba 38 | respond: 39 | - action: report 40 | metadata: 41 | author: Michael Haag 42 | description: Detects suspicious file execution by wscript and cscript 43 | level: medium 44 | tags: 45 | - attack.execution 46 | - attack.t1064 47 | name: WSF/JSE/JS/VBA/VBE File Execution 48 | 49 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_squirrel_lolbin.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \update.exe 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: matches 18 | path: event/COMMAND_LINE 19 | re: .*\-\-processStart.*\.exe.* 20 | - case sensitive: false 21 | op: matches 22 | path: event/COMMAND_LINE 23 | re: .*\-\-processStartAndWait.*\.exe.* 24 | - case sensitive: false 25 | op: matches 26 | path: event/COMMAND_LINE 27 | re: ".*\u2013createShortcut.*\\.exe.*" 28 | respond: 29 | - action: report 30 | metadata: 31 | author: Karneades / Markus Neis 32 | description: Detects Possible Squirrel Packages Manager as Lolbin 33 | level: high 34 | references: 35 | - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ 36 | - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ 37 | tags: 38 | - attack.execution 39 | name: Squirrel Lolbin 40 | 41 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_svchost.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - op: and 11 | rules: 12 | - case sensitive: false 13 | op: ends with 14 | path: event/FILE_PATH 15 | value: \svchost.exe 16 | - not: true 17 | op: or 18 | rules: 19 | - case sensitive: false 20 | op: ends with 21 | path: event/PARENT/FILE_PATH 22 | value: \services.exe 23 | - case sensitive: false 24 | op: ends with 25 | path: event/PARENT/FILE_PATH 26 | value: \MsMpEng.exe 27 | - case sensitive: false 28 | op: ends with 29 | path: event/PARENT/FILE_PATH 30 | value: \Mrt.exe 31 | - case sensitive: false 32 | op: ends with 33 | path: event/PARENT/FILE_PATH 34 | value: \rpcnet.exe 35 | - not: false 36 | op: exists 37 | path: event/PARENT/FILE_PATH 38 | respond: 39 | - action: report 40 | metadata: 41 | author: Florian Roth 42 | description: Detects a suspicious svchost process start 43 | level: high 44 | tags: 45 | - attack.defense_evasion 46 | - attack.t1036 47 | name: Suspicious Svchost Process 48 | 49 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_sysprep_appdata.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/COMMAND_LINE 13 | re: .*\\sysprep\.exe\ .*\\AppData\\.* 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: sysprep\.exe\ .*\\AppData\\.* 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects suspicious sysprep process start with AppData folder as target 23 | (as used by Trojan Syndicasec in Thrip report by Symantec) 24 | level: medium 25 | references: 26 | - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets 27 | - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b 28 | tags: 29 | - attack.execution 30 | name: Sysprep on AppData Folder 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_sysvol_access.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: matches 10 | path: event/COMMAND_LINE 11 | re: .*\\SYSVOL\\.*\\policies\\.* 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Markus Neis 16 | description: Detects Access to Domain Group Policies stored in SYSVOL 17 | level: medium 18 | references: 19 | - https://adsecurity.org/?p=2288 20 | - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 21 | tags: 22 | - attack.credential_access 23 | - attack.t1003 24 | name: Suspicious SYSVOL Domain Group Policy Access 25 | 26 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_taskmgr_localsystem.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: is 12 | path: event/USER_NAME 13 | value: NT AUTHORITY\SYSTEM 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: \taskmgr.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM 23 | level: high 24 | tags: 25 | - attack.defense_evasion 26 | - attack.t1036 27 | name: Taskmgr as LOCAL_SYSTEM 28 | 29 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_taskmgr_parent.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \taskmgr.exe 14 | - not: true 15 | op: or 16 | rules: 17 | - case sensitive: false 18 | op: ends with 19 | path: event/FILE_PATH 20 | value: \resmon.exe 21 | - case sensitive: false 22 | op: ends with 23 | path: event/FILE_PATH 24 | value: \mmc.exe 25 | - case sensitive: false 26 | op: ends with 27 | path: event/FILE_PATH 28 | value: \taskmgr.exe 29 | respond: 30 | - action: report 31 | metadata: 32 | author: Florian Roth 33 | description: Detects the creation of a process from Windows task manager 34 | level: low 35 | tags: 36 | - attack.defense_evasion 37 | - attack.t1036 38 | name: Taskmgr as Parent 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_tscon_localsystem.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: is 12 | path: event/USER_NAME 13 | value: NT AUTHORITY\SYSTEM 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: \tscon.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects a tscon.exe start as LOCAL SYSTEM 23 | level: high 24 | references: 25 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html 26 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 27 | tags: 28 | - attack.command_and_control 29 | - attack.t1219 30 | name: Suspicious TSCON Start 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_tscon_rdp_redirect.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: contains 10 | path: event/COMMAND_LINE 11 | value: ' /dest:rdp-tcp:' 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects a suspicious RDP session redirect using tscon.exe 17 | level: high 18 | references: 19 | - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html 20 | - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 21 | tags: 22 | - attack.lateral_movement 23 | - attack.privilege_escalation 24 | - attack.t1076 25 | - car.2013-07-002 26 | name: Suspicious RDP Redirect Using TSCON 27 | 28 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_userinit_child.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \userinit.exe 14 | - not: true 15 | op: or 16 | rules: 17 | - case sensitive: false 18 | op: contains 19 | path: event/COMMAND_LINE 20 | value: \explorer.exe 21 | - case sensitive: false 22 | op: contains 23 | path: event/COMMAND_LINE 24 | value: \\netlogon\ 25 | respond: 26 | - action: report 27 | metadata: 28 | author: Florian Roth (rule), Samir Bousseaden (idea) 29 | description: Detects the creation of a process from Windows task manager 30 | level: high 31 | references: 32 | - https://twitter.com/SBousseaden/status/1139811587760562176 33 | name: Suspicious Userinit Child Process 34 | 35 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_whoami.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: or 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \whoami.exe 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: whoami.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects the execution of whoami, which is often used by attackers 23 | after exloitation / privilege escalation but rarely used by administrators 24 | level: high 25 | references: 26 | - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ 27 | - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ 28 | tags: 29 | - attack.discovery 30 | - attack.t1033 31 | - car.2016-03-001 32 | name: Whoami Execution 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_susp_wmi_execution.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/FILE_PATH 13 | value: \wmic.exe 14 | - op: or 15 | rules: 16 | - case sensitive: false 17 | op: matches 18 | path: event/COMMAND_LINE 19 | re: .*/NODE:.*process\ call\ create\ .* 20 | - case sensitive: false 21 | op: contains 22 | path: event/COMMAND_LINE 23 | value: ' path AntiVirusProduct get ' 24 | - case sensitive: false 25 | op: contains 26 | path: event/COMMAND_LINE 27 | value: ' path FirewallProduct get ' 28 | - case sensitive: false 29 | op: contains 30 | path: event/COMMAND_LINE 31 | value: ' shadowcopy delete ' 32 | respond: 33 | - action: report 34 | metadata: 35 | author: Michael Haag, Florian Roth, juju4 36 | description: Detects WMI executing suspicious commands 37 | level: medium 38 | references: 39 | - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ 40 | - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 41 | - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ 42 | tags: 43 | - attack.execution 44 | - attack.t1047 45 | - car.2016-03-002 46 | name: Suspicious WMI execution 47 | 48 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_termserv_proc_spawn.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: matches 12 | path: event/PARENT/COMMAND_LINE 13 | re: .*\\svchost\.exe.*termsvcs 14 | - case sensitive: false 15 | not: true 16 | op: ends with 17 | path: event/FILE_PATH 18 | value: \rdpclip.exe 19 | respond: 20 | - action: report 21 | metadata: 22 | author: Florian Roth 23 | description: Detects a process spawned by the terminal service server process 24 | (this could be an indicator for an exploitation of CVE-2019-0708) 25 | level: high 26 | references: 27 | - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ 28 | tags: 29 | - car.2013-07-002 30 | name: Terminal Service Process Spawn 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_vul_java_remote_debugging.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: contains 12 | path: event/COMMAND_LINE 13 | value: transport=dt_socket,address= 14 | - not: true 15 | op: or 16 | rules: 17 | - case sensitive: false 18 | op: contains 19 | path: event/COMMAND_LINE 20 | value: address=127.0.0.1 21 | - case sensitive: false 22 | op: contains 23 | path: event/COMMAND_LINE 24 | value: address=localhost 25 | respond: 26 | - action: report 27 | metadata: 28 | author: Florian Roth 29 | description: Detects a JAVA process running with remote debugging allowing more 30 | than just localhost to connect 31 | level: medium 32 | tags: 33 | - attack.discovery 34 | - attack.t1046 35 | name: Java Running with Remote Debugging 36 | 37 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_win10_sched_task_0day.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: is 12 | path: event/FILE_PATH 13 | value: schtasks.exe 14 | - case sensitive: false 15 | op: matches 16 | path: event/COMMAND_LINE 17 | re: .*/change.*/TN.*/RU.*/RP.* 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Olaf Hartong 22 | description: Detects Task Scheduler .job import arbitrary DACL write\par 23 | level: high 24 | references: 25 | - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe 26 | tags: 27 | - attack.privilege_escalation 28 | - attack.execution 29 | - attack.t1053 30 | - car.2013-08-001 31 | name: Windows 10 scheduled task SandboxEscaper 0-day 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_wmi_backdoor_exchange_transport_agent.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: ends with 10 | path: event/PARENT/FILE_PATH 11 | value: \EdgeTransport.exe 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Florian Roth 16 | description: Detects a WMi backdoor in Exchange Transport Agents via WMi event 17 | filters 18 | level: critical 19 | references: 20 | - https://twitter.com/cglyer/status/1182389676876980224 21 | - https://twitter.com/cglyer/status/1182391019633029120 22 | tags: 23 | - attack.persistence 24 | - attack.t1084 25 | name: WMI Backdoor Exchange Transport Agent 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_wmi_persistence_script_event_consumer.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: is 12 | path: event/FILE_PATH 13 | value: C:\WINDOWS\system32\wbem\scrcons.exe 14 | - case sensitive: false 15 | op: is 16 | path: event/PARENT/FILE_PATH 17 | value: C:\Windows\System32\svchost.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Thomas Patzke 22 | description: Detects WMI script event consumers 23 | level: high 24 | references: 25 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ 26 | tags: 27 | - attack.execution 28 | - attack.persistence 29 | - attack.t1047 30 | name: WMI Persistence - Script Event Consumer 31 | 32 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_wmi_spwns_powershell.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - op: and 9 | rules: 10 | - case sensitive: false 11 | op: ends with 12 | path: event/PARENT/FILE_PATH 13 | value: \wmiprvse.exe 14 | - case sensitive: false 15 | op: ends with 16 | path: event/FILE_PATH 17 | value: \powershell.exe 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Markus Neis / @Karneades 22 | description: Detects WMI spawning PowerShell 23 | level: high 24 | references: 25 | - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml 26 | - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e 27 | tags: 28 | - attack.execution 29 | - attack.defense_evasion 30 | - attack.t1064 31 | name: WMI Spawning Windows PowerShell 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_process_creation/win_workflow_compiler.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | events: 3 | - NEW_PROCESS 4 | - EXISTING_PROCESS 5 | op: and 6 | rules: 7 | - op: is windows 8 | - case sensitive: false 9 | op: ends with 10 | path: event/FILE_PATH 11 | value: \Microsoft.Workflow.Compiler.exe 12 | respond: 13 | - action: report 14 | metadata: 15 | author: Nik Seetharaman 16 | description: Detects invocation of Microsoft Workflow Compiler, which may permit 17 | the execution of arbitrary unsigned code. 18 | level: high 19 | references: 20 | - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb 21 | tags: 22 | - attack.defense_evasion 23 | - attack.execution 24 | - attack.t1127 25 | name: Microsoft Workflow Compiler 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_ads_executable.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '15' 9 | - case sensitive: false 10 | not: true 11 | op: is 12 | path: Event/EventData/Imphash 13 | value: '00000000000000000000000000000000' 14 | target: log 15 | respond: 16 | - action: report 17 | metadata: 18 | author: Florian Roth, @0xrawsec 19 | description: Detects the creation of an ADS data stream that contains an executable 20 | (non-empty imphash) 21 | level: critical 22 | references: 23 | - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 24 | tags: 25 | - attack.defense_evasion 26 | - attack.t1027 27 | - attack.s0139 28 | name: Executable in ADS 29 | 30 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_cobaltstrike_process_injection.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '8' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/TargetProcessAddress 12 | value: 0B80 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Olaf Hartong, Florian Roth 18 | description: Detects a possible remote threat creation with certain characteristics 19 | which are typical for Cobalt Strike beacons 20 | level: high 21 | references: 22 | - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f 23 | tags: 24 | - attack.defense_evasion 25 | - attack.t1055 26 | name: CobaltStrike Process Injection 27 | 28 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_dhcp_calloutdll.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - op: or 10 | rules: 11 | - case sensitive: false 12 | op: ends with 13 | path: Event/EventData/TargetObject 14 | value: \Services\DHCPServer\Parameters\CalloutDlls 15 | - case sensitive: false 16 | op: ends with 17 | path: Event/EventData/TargetObject 18 | value: \Services\DHCPServer\Parameters\CalloutEnabled 19 | target: log 20 | respond: 21 | - action: report 22 | metadata: 23 | author: Dimitrios Slamaris 24 | description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled 25 | parameter in Registry, which can be used to execute code in context of the DHCP 26 | server (restart required) 27 | level: high 28 | references: 29 | - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html 30 | - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx 31 | - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx 32 | tags: 33 | - attack.defense_evasion 34 | - attack.t1073 35 | - attack.t1112 36 | name: DHCP Callout DLL installation 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_ghostpack_safetykatz.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '11' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/TargetFilename 12 | value: \Temp\debug.bin 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Markus Neis 18 | description: Detects possible SafetyKatz Behaviour 19 | level: high 20 | references: 21 | - https://github.com/GhostPack/SafetyKatz 22 | tags: 23 | - attack.credential_access 24 | - attack.t1003 25 | name: Detection of SafetyKatz 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_lsass_memdump.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '10' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/TargetImage 12 | value: C:\windows\system32\lsass.exe 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/GrantedAccess 16 | value: '0x1fffff' 17 | - op: or 18 | rules: 19 | - case sensitive: false 20 | op: contains 21 | path: Event/EventData/CallTrace 22 | value: dbghelp.dll 23 | - case sensitive: false 24 | op: contains 25 | path: Event/EventData/CallTrace 26 | value: dbgcore.dll 27 | target: log 28 | respond: 29 | - action: report 30 | metadata: 31 | author: Samir Bousseaden 32 | description: Detects process LSASS memory dump using procdump or taskmgr based 33 | on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 34 | level: high 35 | references: 36 | - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html 37 | tags: 38 | - attack.t1003 39 | - attack.s0002 40 | - attack.credential_access 41 | name: LSASS Memory Dump 42 | 43 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_malware_verclsid_shellcode.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '10' 11 | - case sensitive: false 12 | op: ends with 13 | path: Event/EventData/TargetImage 14 | value: \verclsid.exe 15 | - case sensitive: false 16 | op: is 17 | path: Event/EventData/GrantedAccess 18 | value: '0x1FFFFF' 19 | - op: or 20 | rules: 21 | - case sensitive: false 22 | op: matches 23 | path: Event/EventData/CallTrace 24 | re: .*\|UNKNOWN\(.*VBE7\.DLL.* 25 | - op: and 26 | rules: 27 | - case sensitive: false 28 | op: contains 29 | path: Event/EventData/SourceImage 30 | value: \Microsoft Office\ 31 | - case sensitive: false 32 | op: contains 33 | path: Event/EventData/CallTrace 34 | value: '|UNKNOWN' 35 | target: log 36 | respond: 37 | - action: report 38 | metadata: 39 | author: John Lambert (tech), Florian Roth (rule) 40 | description: Detects a process access to verclsid.exe that injects shellcode from 41 | a Microsoft Office application / VBA macro 42 | level: high 43 | references: 44 | - https://twitter.com/JohnLaTwC/status/837743453039534080 45 | tags: 46 | - attack.defense_evasion 47 | - attack.privilege_escalation 48 | - attack.t1055 49 | name: Malware Shellcode in Verclsid Target Process 50 | 51 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_mimikatz_detection_lsass.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '10' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/TargetImage 12 | value: C:\windows\system32\lsass.exe 13 | - op: or 14 | rules: 15 | - case sensitive: false 16 | op: is 17 | path: Event/EventData/GrantedAccess 18 | value: '0x1410' 19 | - case sensitive: false 20 | op: is 21 | path: Event/EventData/GrantedAccess 22 | value: '0x1010' 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | description: Detects process access to LSASS which is typical for Mimikatz (0x1000 28 | PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only 29 | old versions", 0x0010 PROCESS_VM_READ) 30 | level: high 31 | references: 32 | - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow 33 | - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html 34 | tags: 35 | - attack.t1003 36 | - attack.s0002 37 | - attack.credential_access 38 | - car.2019-04-004 39 | name: Mimikatz Detection LSASS Access 40 | 41 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_mimikatz_inmemory_detection.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '7' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/Image 12 | value: C:\Windows\System32\rundll32.exe 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | description: Detects certain DLL loads when Mimikatz gets executed 18 | level: medium 19 | references: 20 | - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ 21 | tags: 22 | - attack.s0002 23 | - attack.t1003 24 | - attack.lateral_movement 25 | - attack.credential_access 26 | - car.2019-04-004 27 | name: Mimikatz In-Memory 28 | 29 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_mimikatz_trough_winrm.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '10' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/TargetImage 12 | value: C:\windows\system32\lsass.exe 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/SourceImage 16 | value: C:\Windows\system32\wsmprovhost.exe 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Patryk Prauze - ING Tech 22 | description: Detects usage of mimikatz through WinRM protocol by monitoring access 23 | to lsass process by wsmprovhost.exe. 24 | level: high 25 | references: 26 | - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ 27 | tags: 28 | - attack.credential_access 29 | - attack.execution 30 | - attack.t1003 31 | - attack.t1028 32 | - attack.s0005 33 | name: Mimikatz through Windows Remote Management 34 | 35 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_password_dumper_lsass.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '8' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/TargetImage 12 | value: C:\Windows\System32\lsass.exe 13 | - not: true 14 | op: exists 15 | path: Event/EventData/StartModule 16 | target: log 17 | respond: 18 | - action: report 19 | metadata: 20 | author: Thomas Patzke 21 | description: Detects password dumper activity by monitoring remote thread creation 22 | EventID 8 in combination with the lsass.exe process as TargetImage. The process 23 | in field Process is the malicious program. A single execution can lead to hundreds 24 | of events. 25 | level: high 26 | references: 27 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm 28 | tags: 29 | - attack.credential_access 30 | - attack.t1003 31 | - attack.s0005 32 | name: Password Dumper Remote Thread in LSASS 33 | 34 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_quarkspw_filedump.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '11' 9 | - case sensitive: false 10 | op: matches 11 | path: Event/EventData/TargetFilename 12 | re: .*\\AppData\\Local\\Temp\\SAM\-.*\.dmp.* 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth 18 | description: Detects a dump file written by QuarksPwDump password dumper 19 | level: critical 20 | references: 21 | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm 22 | tags: 23 | - attack.credential_access 24 | - attack.t1003 25 | name: QuarksPwDump Dump File 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_rdp_reverse_tunnel.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '3' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/Image 12 | value: \svchost.exe 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/Initiated 16 | value: 'true' 17 | - case sensitive: false 18 | op: is 19 | path: Event/EventData/SourcePort 20 | value: '3389' 21 | - op: or 22 | rules: 23 | - case sensitive: false 24 | op: starts with 25 | path: Event/EventData/DestinationIp 26 | value: '127.' 27 | - case sensitive: false 28 | op: is 29 | path: Event/EventData/DestinationIp 30 | value: ::1 31 | target: log 32 | respond: 33 | - action: report 34 | metadata: 35 | author: Samir Bousseaden 36 | description: Detects svchost hosting RDP termsvcs communicating with the loopback 37 | address and on TCP port 3389 38 | level: high 39 | references: 40 | - https://twitter.com/SBousseaden/status/1096148422984384514 41 | tags: 42 | - attack.defense_evasion 43 | - attack.command_and_control 44 | - attack.t1076 45 | - car.2013-07-002 46 | name: RDP over Reverse SSH Tunnel 47 | 48 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_rdp_settings_hijack.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - op: or 10 | rules: 11 | - case sensitive: false 12 | op: contains 13 | path: Event/EventData/TargetObject 14 | value: \services\TermService\Parameters\ServiceDll 15 | - case sensitive: false 16 | op: contains 17 | path: Event/EventData/TargetObject 18 | value: \Control\Terminal Server\fSingleSessionPerUser 19 | - case sensitive: false 20 | op: contains 21 | path: Event/EventData/TargetObject 22 | value: \Control\Terminal Server\fDenyTSConnections 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Samir Bousseaden 28 | description: Detects changes to RDP terminal service sensitive settings 29 | level: high 30 | references: 31 | - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html 32 | tags: 33 | - attack.defense_evasion 34 | name: RDP Sensitive Settings Changed 35 | 36 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_renamed_powershell.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/EventData/Description 10 | value: Windows PowerShell 11 | - case sensitive: false 12 | op: is 13 | path: Event/EventData/Company 14 | value: Microsoft Corporation 15 | - not: true 16 | op: or 17 | rules: 18 | - case sensitive: false 19 | op: ends with 20 | path: Event/EventData/Image 21 | value: \powershell.exe 22 | - case sensitive: false 23 | op: ends with 24 | path: Event/EventData/Image 25 | value: \powershell_ise.exe 26 | target: log 27 | respond: 28 | - action: report 29 | metadata: 30 | author: Florian Roth 31 | description: Detects the execution of a renamed PowerShell often used by attackers 32 | or malware 33 | level: critical 34 | references: 35 | - https://twitter.com/christophetd/status/1164506034720952320 36 | tags: 37 | - car.2013-05-009 38 | name: Renamed PowerShell 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_renamed_psexec.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/EventData/Description 10 | value: Execute processes remotely 11 | - case sensitive: false 12 | op: is 13 | path: Event/EventData/Product 14 | value: Sysinternals PsExec 15 | - not: true 16 | op: or 17 | rules: 18 | - case sensitive: false 19 | op: ends with 20 | path: Event/EventData/Image 21 | value: \PsExec.exe 22 | - case sensitive: false 23 | op: ends with 24 | path: Event/EventData/Image 25 | value: \PsExec64.exe 26 | target: log 27 | respond: 28 | - action: report 29 | metadata: 30 | author: Florian Roth 31 | description: Detects the execution of a renamed PsExec often used by attackers 32 | or malware 33 | level: high 34 | references: 35 | - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks 36 | tags: 37 | - car.2013-05-009 38 | name: Renamed PsExec 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_ssp_added_lsa_config.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '13' 11 | - op: or 12 | rules: 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/TargetObject 16 | value: HKLM\System\CurrentControlSet\Control\Lsa\Security Packages 17 | - case sensitive: false 18 | op: is 19 | path: Event/EventData/TargetObject 20 | value: HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages 21 | - not: true 22 | op: or 23 | rules: 24 | - case sensitive: false 25 | op: is 26 | path: Event/EventData/Image 27 | value: C:\Windows\system32\msiexec.exe 28 | - case sensitive: false 29 | op: is 30 | path: Event/EventData/Image 31 | value: C:\Windows\syswow64\MsiExec.exe 32 | target: log 33 | respond: 34 | - action: report 35 | metadata: 36 | author: iwillkeepwatch 37 | description: Detects the addition of a SSP to the registry. Upon a reboot or API 38 | call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. 39 | level: critical 40 | references: 41 | - https://attack.mitre.org/techniques/T1101/ 42 | - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ 43 | tags: 44 | - attack.persistence 45 | - attack.t1011 46 | name: Security Support Provider (SSP) added to LSA configuration 47 | 48 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_susp_download_run_key.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - op: or 10 | rules: 11 | - case sensitive: false 12 | op: contains 13 | path: Event/EventData/Image 14 | value: \Downloads\ 15 | - case sensitive: false 16 | op: contains 17 | path: Event/EventData/Image 18 | value: \Temporary Internet Files\Content.Outlook\ 19 | - case sensitive: false 20 | op: contains 21 | path: Event/EventData/Image 22 | value: \Local Settings\Temporary Internet Files\ 23 | - case sensitive: false 24 | op: contains 25 | path: Event/EventData/TargetObject 26 | value: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 27 | target: log 28 | respond: 29 | - action: report 30 | metadata: 31 | author: Florian Roth 32 | description: Detects the suspicious RUN keys created by software located in Download 33 | or temporary Outlook/Internet Explorer directories 34 | level: high 35 | references: 36 | - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ 37 | tags: 38 | - attack.persistence 39 | - attack.t1060 40 | name: Suspicious RUN Key from Download 41 | 42 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_susp_driver_load.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '6' 9 | - case sensitive: false 10 | op: contains 11 | path: Event/EventData/ImageLoaded 12 | value: \Temp\ 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Florian Roth 18 | description: Detects a driver load from a temporary directory 19 | level: medium 20 | tags: 21 | - attack.persistence 22 | - attack.t1050 23 | name: Suspicious Driver Load from Temp 24 | 25 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_susp_file_characteristics.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: matches 7 | path: Event/EventData/Description 8 | re: \? 9 | - op: or 10 | rules: 11 | - case sensitive: false 12 | op: matches 13 | path: Event/EventData/FileVersion 14 | re: \? 15 | - case sensitive: false 16 | op: matches 17 | path: Event/EventData/Product 18 | re: \? 19 | - case sensitive: false 20 | op: matches 21 | path: Event/EventData/Company 22 | re: \? 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Markus Neis 28 | description: Detects Executables without FileVersion,Description,Product,Company 29 | likely created with py2exe 30 | level: high 31 | references: 32 | - https://securelist.com/muddywater/88059/ 33 | - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection 34 | tags: 35 | - attack.defense_evasion 36 | - attack.execution 37 | - attack.t1064 38 | name: Suspicious File Characteristics due to Missing Fields 39 | 40 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_susp_image_load.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '7' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/Image 12 | value: \notepad.exe 13 | - op: or 14 | rules: 15 | - case sensitive: false 16 | op: ends with 17 | path: Event/EventData/ImageLoaded 18 | value: \samlib.dll 19 | - case sensitive: false 20 | op: ends with 21 | path: Event/EventData/ImageLoaded 22 | value: \WinSCard.dll 23 | target: log 24 | respond: 25 | - action: report 26 | metadata: 27 | author: Markus Neis 28 | description: Detects Loading of samlib.dll, WinSCard.dll from untypical process 29 | e.g. through process hollowing by Mimikatz 30 | level: high 31 | references: 32 | - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html 33 | tags: 34 | - attack.defense_evasion 35 | - attack.t1073 36 | name: Possible Process Hollowing Image Loading 37 | 38 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_susp_lsass_dll_load.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - op: or 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '12' 11 | - case sensitive: false 12 | op: is 13 | path: Event/System/EventID 14 | value: '13' 15 | - op: or 16 | rules: 17 | - case sensitive: false 18 | op: contains 19 | path: Event/EventData/TargetObject 20 | value: \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt 21 | - case sensitive: false 22 | op: contains 23 | path: Event/EventData/TargetObject 24 | value: \CurrentControlSet\Services\NTDS\LsaDbExtPt 25 | target: log 26 | respond: 27 | - action: report 28 | metadata: 29 | author: Florian Roth 30 | description: Detects a method to load DLL via LSASS process using an undocumented 31 | Registry key 32 | level: high 33 | references: 34 | - https://blog.xpnsec.com/exploring-mimikatz-part-1/ 35 | - https://twitter.com/SBousseaden/status/1183745981189427200 36 | tags: 37 | - attack.execution 38 | - attack.t1177 39 | name: DLL Load via LSASS 40 | 41 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_susp_powershell_rundll32.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '8' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/SourceImage 12 | value: \powershell.exe 13 | - case sensitive: false 14 | op: ends with 15 | path: Event/EventData/TargetImage 16 | value: \rundll32.exe 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Florian Roth 22 | description: Detects PowerShell remote thread creation in Rundll32.exe 23 | level: high 24 | references: 25 | - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html 26 | tags: 27 | - attack.defense_evasion 28 | - attack.execution 29 | - attack.t1085 30 | - attack.t1086 31 | name: PowerShell Rundll32 Remote Thread Creation 32 | 33 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_suspicious_keyboard_layout_load.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - op: or 10 | rules: 11 | - case sensitive: false 12 | op: matches 13 | path: Event/EventData/TargetObject 14 | re: .*\\Keyboard\ Layout\\Preload\* 15 | - case sensitive: false 16 | op: matches 17 | path: Event/EventData/TargetObject 18 | re: .*\\Keyboard\ Layout\\Substitutes\* 19 | - op: or 20 | rules: 21 | - case sensitive: false 22 | op: is 23 | path: Event/EventData/Details 24 | value: 00000429 25 | - case sensitive: false 26 | op: is 27 | path: Event/EventData/Details 28 | value: 00050429 29 | - case sensitive: false 30 | op: is 31 | path: Event/EventData/Details 32 | value: 0000042a 33 | target: log 34 | respond: 35 | - action: report 36 | metadata: 37 | author: Florian Roth 38 | description: Detects the keyboard preload installation with a suspicious keyboard 39 | layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems 40 | maintained by US staff only 41 | level: medium 42 | references: 43 | - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index 44 | - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files 45 | name: Suspicious Keyboard Layout Load 46 | 47 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_sysinternals_eula_accepted.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/TargetObject 12 | value: \EulaAccepted 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Markus Neis 18 | description: Detects the usage of Sysinternals Tools due to accepteula key being 19 | added to Registry 20 | level: low 21 | references: 22 | - https://twitter.com/Moti_B/status/1008587936735035392 23 | name: Usage of Sysinternals Tools 24 | 25 | detect: 26 | events: 27 | - NEW_PROCESS 28 | - EXISTING_PROCESS 29 | op: and 30 | rules: 31 | - op: is windows 32 | - case sensitive: false 33 | op: contains 34 | path: event/COMMAND_LINE 35 | value: ' -accepteula' 36 | respond: 37 | - action: report 38 | metadata: 39 | author: Markus Neis 40 | description: Detects the usage of Sysinternals Tools due to accepteula key being 41 | added to Registry 42 | level: low 43 | references: 44 | - https://twitter.com/Moti_B/status/1008587936735035392 45 | name: Usage of Sysinternals Tools 46 | 47 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_tsclient_filewrite_startup.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '11' 9 | - case sensitive: false 10 | op: ends with 11 | path: Event/EventData/Image 12 | value: \mstsc.exe 13 | - case sensitive: false 14 | op: contains 15 | path: Event/EventData/TargetFileName 16 | value: \Microsoft\Windows\Start Menu\Programs\Startup\ 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Samir Bousseaden 22 | description: Detects the usage of tsclient share to place a backdoor on the RDP 23 | source machine's startup folder 24 | level: high 25 | name: Hijack legit RDP session to move laterally 26 | 27 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_uac_bypass_eventvwr.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: or 4 | rules: 5 | - op: and 6 | rules: 7 | - case sensitive: false 8 | op: is 9 | path: Event/System/EventID 10 | value: '13' 11 | - case sensitive: false 12 | op: matches 13 | path: Event/EventData/TargetObject 14 | re: HKEY_USERS\\.*\\mscfile\\shell\\open\\command 15 | - op: and 16 | rules: 17 | - op: and 18 | rules: 19 | - case sensitive: false 20 | op: is 21 | path: Event/System/EventID 22 | value: '1' 23 | - case sensitive: false 24 | op: ends with 25 | path: Event/EventData/ParentImage 26 | value: \eventvwr.exe 27 | - case sensitive: false 28 | not: true 29 | op: ends with 30 | path: Event/EventData/Image 31 | value: \mmc.exe 32 | target: log 33 | respond: 34 | - action: report 35 | metadata: 36 | author: Florian Roth 37 | description: Detects UAC bypass method using Windows event viewer 38 | level: critical 39 | references: 40 | - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ 41 | - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 42 | tags: 43 | - attack.defense_evasion 44 | - attack.privilege_escalation 45 | - attack.t1088 46 | - car.2019-04-001 47 | name: UAC Bypass via Event Viewer 48 | 49 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_uac_bypass_sdclt.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - case sensitive: false 10 | op: matches 11 | path: Event/EventData/TargetObject 12 | re: HKEY_USERS\\.*\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Omer Yampel 18 | description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand 19 | level: high 20 | references: 21 | - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ 22 | tags: 23 | - attack.defense_evasion 24 | - attack.privilege_escalation 25 | - attack.t1088 26 | - car.2019-04-001 27 | name: UAC Bypass via sdclt 28 | 29 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_win_binary_github_com.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '3' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/Initiated 12 | value: 'true' 13 | - op: or 14 | rules: 15 | - case sensitive: false 16 | op: ends with 17 | path: Event/EventData/DestinationHostname 18 | value: .github.com 19 | - case sensitive: false 20 | op: ends with 21 | path: Event/EventData/DestinationHostname 22 | value: .githubusercontent.com 23 | - case sensitive: false 24 | op: starts with 25 | path: Event/EventData/Image 26 | value: C:\Windows\ 27 | target: log 28 | respond: 29 | - action: report 30 | metadata: 31 | author: Michael Haag (idea), Florian Roth (rule) 32 | description: Detects an executable in the Windows folder accessing github.com 33 | level: high 34 | references: 35 | - https://twitter.com/M_haggis/status/900741347035889665 36 | - https://twitter.com/M_haggis/status/1032799638213066752 37 | tags: 38 | - attack.lateral_movement 39 | - attack.t1105 40 | name: Microsoft Binary Github Communication 41 | 42 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_win_binary_susp_com.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '3' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/Initiated 12 | value: 'true' 13 | - op: or 14 | rules: 15 | - case sensitive: false 16 | op: ends with 17 | path: Event/EventData/DestinationHostname 18 | value: dl.dropboxusercontent.com 19 | - case sensitive: false 20 | op: ends with 21 | path: Event/EventData/DestinationHostname 22 | value: .pastebin.com 23 | - case sensitive: false 24 | op: ends with 25 | path: Event/EventData/DestinationHostname 26 | value: .githubusercontent.com 27 | - case sensitive: false 28 | op: starts with 29 | path: Event/EventData/Image 30 | value: C:\Windows\ 31 | target: log 32 | respond: 33 | - action: report 34 | metadata: 35 | author: Florian Roth 36 | description: Detects an executable in the Windows folder accessing suspicious 37 | domains 38 | level: high 39 | references: 40 | - https://twitter.com/M_haggis/status/900741347035889665 41 | - https://twitter.com/M_haggis/status/1032799638213066752 42 | tags: 43 | - attack.lateral_movement 44 | - attack.t1105 45 | name: Microsoft Binary Suspicious Communication Endpoint 46 | 47 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_win_reg_persistence.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '13' 9 | - op: or 10 | rules: 11 | - case sensitive: false 12 | op: matches 13 | path: Event/EventData/TargetObject 14 | re: .*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ 15 | Options\\.*\\GlobalFlag 16 | - case sensitive: false 17 | op: matches 18 | path: Event/EventData/TargetObject 19 | re: .*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\SilentProcessExit\\.*\\ReportingMode 20 | - case sensitive: false 21 | op: matches 22 | path: Event/EventData/TargetObject 23 | re: .*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\SilentProcessExit\\.*\\MonitorProcess 24 | - case sensitive: false 25 | op: is 26 | path: Event/EventData/EventType 27 | value: SetValue 28 | target: log 29 | respond: 30 | - action: report 31 | metadata: 32 | author: Karneades 33 | description: Detects persistence registry keys 34 | level: critical 35 | references: 36 | - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ 37 | tags: 38 | - attack.privilege_escalation 39 | - attack.persistence 40 | - attack.defense_evasion 41 | - attack.t1183 42 | - car.2013-01-002 43 | name: Registry Persistence Mechanisms 44 | 45 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_wmi_event_subscription.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: or 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '19' 9 | - case sensitive: false 10 | op: is 11 | path: Event/System/EventID 12 | value: '20' 13 | - case sensitive: false 14 | op: is 15 | path: Event/System/EventID 16 | value: '21' 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Tom Ueltschi (@c_APT_ure) 22 | description: Detects creation of WMI event subscription persistence method 23 | level: high 24 | references: 25 | - https://attack.mitre.org/techniques/T1084/ 26 | tags: 27 | - attack.t1084 28 | - attack.persistence 29 | name: WMI Event Subscription 30 | 31 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '7' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/Image 12 | value: C:\Windows\System32\wbem\WmiPrvSE.exe 13 | - case sensitive: false 14 | op: is 15 | path: Event/EventData/ImageLoaded 16 | value: wbemcons.dll 17 | target: log 18 | respond: 19 | - action: report 20 | metadata: 21 | author: Thomas Patzke 22 | description: Detects WMI command line event consumers 23 | level: high 24 | references: 25 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ 26 | tags: 27 | - attack.t1084 28 | - attack.persistence 29 | name: WMI Persistence - Command Line Event Consumer 30 | 31 | -------------------------------------------------------------------------------- /Sigma/dr_rules/windows_sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml: -------------------------------------------------------------------------------- 1 | detect: 2 | log type: wel 3 | op: and 4 | rules: 5 | - case sensitive: false 6 | op: is 7 | path: Event/System/EventID 8 | value: '11' 9 | - case sensitive: false 10 | op: is 11 | path: Event/EventData/Image 12 | value: C:\WINDOWS\system32\wbem\scrcons.exe 13 | target: log 14 | respond: 15 | - action: report 16 | metadata: 17 | author: Thomas Patzke 18 | description: Detects file writes of WMI script event consumer 19 | level: high 20 | references: 21 | - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ 22 | tags: 23 | - attack.t1084 24 | - attack.persistence 25 | name: WMI Persistence - Script Event Consumer File Write 26 | 27 | -------------------------------------------------------------------------------- /Sigma/generate_all.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | def main(): 4 | os.system( 'mkdir ./dr_rules' ) 5 | for d in ( 'windows/builtin', 6 | 'windows/process_creation', 7 | 'windows/sysmon', 8 | 'windows/other', 9 | 'windows/malware', 10 | 'network', 11 | 'linux', 12 | 'linux/auditd', 13 | 'compliance', 14 | 'apt', ): 15 | outDir = d.replace( '/', '_' ) 16 | print( "Creating dir: %s" % ( outDir, ) ) 17 | os.system( 'mkdir ./dr_rules/%s' % ( outDir, ) ) 18 | thisPath = './sigma/rules/%s/' % ( d, ) 19 | for f in os.listdir( thisPath ): 20 | thisFile = os.path.join( thisPath, f ) 21 | if not os.path.isfile( thisFile ): 22 | continue 23 | print( "Process rule %s" % ( thisFile, ) ) 24 | outFile = "./dr_rules/%s/%s" % ( outDir, f ) 25 | os.system( "python3 ./sigma/tools/sigmac -t limacharlie -c ./sigma/tools/config/limacharlie.yml %s > %s" % ( thisFile, outFile ) ) 26 | if os.path.getsize( outFile ) == 0: 27 | os.system( 'rm %s' % ( outFile, ) ) 28 | 29 | if __name__ == "__main__": 30 | main() -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker -------------------------------------------------------------------------------- /powershell-encoded-commands.yml: -------------------------------------------------------------------------------- 1 | op: and 2 | event: NEW_PROCESS 3 | rules: 4 | op: is windows 5 | - case sensitive: false 6 | op: ends with 7 | path: event/FILE_PATH 8 | value: powershell.exe 9 | - case sensitive: false 10 | op: matches 11 | path: event/COMMAND_LINE 12 | re: .*(?:(?:\\-ec)|(?:\\-e)|(?:\\-enc)|(?:\\-enco)|(?:\\-encod)|(?:\\-encode)|(?:\\-encoded)|(?:\\-encodedc)|(?:\\-encodedco)|(?:\\-encodedcom)|(?:\\-encodedcomm)|(?:\\-encodedcomma)|(?:\\-encodedcomman)|(?:\\-encodedcomman)|(?:\\-encodedcommand))\\W.* -------------------------------------------------------------------------------- /productivity-dropper.yaml: -------------------------------------------------------------------------------- 1 | # Matches any productivity executable leading to 2 | # a descendant that is either a shell process of some kind 3 | # or that drops an executable file or script. 4 | 5 | op: and 6 | events: 7 | - NEW_PROCESS 8 | - EXISTING_PROCESS 9 | rules: 10 | - op: is windows 11 | - op: matches 12 | 13 | path: event/FILE_PATH 14 | re: .*(winword|outlook|excel|powerpnt|iexplore|firefox|chrome|acrord32)\.exe$ 15 | case sensitive: false 16 | with descendant: 17 | op: or 18 | rules: 19 | - op: matches 20 | event: NEW_PROCESS 21 | path: event/FILE_PATH 22 | re: .*(cmd|powershell|conhost)\.exe 23 | case sensitive: false 24 | - op: matches 25 | event: NEW_DOCUMENT 26 | path: event/FILE_PATH 27 | re: .*\.(dll|exe|bat|ps1)$ 28 | case sensitive: false -------------------------------------------------------------------------------- /win-acl-tampering.json: -------------------------------------------------------------------------------- 1 | { 2 | "op" : "and", 3 | "event" : "NEW_PROCESS", 4 | "rules" : [ 5 | { 6 | "op" : "is windows" 7 | }, 8 | { 9 | "op" : "ends with", 10 | "path" : "event/FILE_PATH", 11 | "value" : "icacls.exe", 12 | "case sensitive" : false 13 | }, 14 | { 15 | "op" : "contains", 16 | "path" : "event/COMMAND_LINE", 17 | "value" : "grant", 18 | "case sensitive" : false 19 | } 20 | ] 21 | } -------------------------------------------------------------------------------- /win-acl-tampering.yaml: -------------------------------------------------------------------------------- 1 | op: and 2 | event: NEW_PROCESS 3 | rules: 4 | op: is windows 5 | - case sensitive: false 6 | op: ends with 7 | path: event/FILE_PATH 8 | value: icacls.exe 9 | - case sensitive: false 10 | op: contains 11 | path: event/COMMAND_LINE 12 | value: grant -------------------------------------------------------------------------------- /win-password-dump.json: -------------------------------------------------------------------------------- 1 | { 2 | "op" : "and", 3 | "event" : "CODE_IDENTITY", 4 | "rules" : [ 5 | { 6 | "op" : "is windows" 7 | }, 8 | { 9 | "op" : "ends with", 10 | "path" : "event/FILE_PATH", 11 | "value" : "wceaux.dll", 12 | "case sensitive" : false 13 | } 14 | ] 15 | } -------------------------------------------------------------------------------- /win-password-dump.yaml: -------------------------------------------------------------------------------- 1 | op: and 2 | event: CODE_IDENTITY 3 | rules: 4 | - op: is windows 5 | - op: ends with 6 | path: event/FILE_PATH 7 | value: wceaux.dll 8 | case sensitive: false -------------------------------------------------------------------------------- /win-shadow-volume-tampering.yaml: -------------------------------------------------------------------------------- 1 | op: and 2 | event: NEW_PROCESS 3 | rules: 4 | op: is windows 5 | - op: or 6 | rules: 7 | - op: and 8 | rules: 9 | - case sensitive: false 10 | op: ends with 11 | path: event/FILE_PATH 12 | value: vssadmin.exe 13 | - case sensitive: false 14 | op: matches 15 | path: event/COMMAND_LINE 16 | re: .*(?:(?:delete shadows)|(?:resize shadowstorage)).* 17 | - op: and 18 | rules: 19 | - case sensitive: false 20 | op: ends with 21 | path: event/FILE_PATH 22 | value: wmic.exe 23 | - case sensitive: false 24 | op: contains 25 | path: event/COMMAND_LINE 26 | value: shadowcopy delete -------------------------------------------------------------------------------- /win-suspicious-command-line.json: -------------------------------------------------------------------------------- 1 | { 2 | "event": "NEW_PROCESS", 3 | "rules": [ 4 | { 5 | "op": "is windows" 6 | }, 7 | { 8 | "path": "event/COMMAND_LINE", 9 | "case sensitive": false, 10 | "re": ".*(?:\\xE2\\x80\\x8F).*", 11 | "op": "matches" 12 | } 13 | ], 14 | "op": "and" 15 | } -------------------------------------------------------------------------------- /win-suspicious-command-line.yaml: -------------------------------------------------------------------------------- 1 | op: and 2 | event: NEW_PROCESS 3 | rules: 4 | op: is windows 5 | - case sensitive: false 6 | op: matches 7 | path: event/COMMAND_LINE 8 | re: .*(?:\xE2\x80\x8F).* -------------------------------------------------------------------------------- /win-suspicious-exec-location.json: -------------------------------------------------------------------------------- 1 | { 2 | "events": [ 3 | "NEW_PROCESS", 4 | "CODE_IDENTITY" 5 | ], 6 | "rules": [ 7 | { 8 | "op": "is windows" 9 | }, 10 | { 11 | "path": "event/FILE_PATH", 12 | "case sensitive": false, 13 | "re": ".*(?:(?:windows\\\\(?:(?:system32)|(?:syswow64))\\\\tasks\\\\)|(?:recycle)|(?:\\\\windows\\\\fonts\\\\)|(?:\\\\windows\\\\help\\\\)|(?:\\\\windows\\\\wbem\\\\)|(?:\\\\windows\\\\addins\\\\)|(?:\\\\windows\\\\debug\\\\)|(?:\\\\perflogs\\\\)).*", 14 | "op": "matches" 15 | } 16 | ], 17 | "op": "and" 18 | } -------------------------------------------------------------------------------- /win-suspicious-exec-location.yaml: -------------------------------------------------------------------------------- 1 | op: and 2 | events: 3 | - NEW_PROCESS 4 | - CODE_IDENTITY 5 | rules: 6 | op: is windows 7 | - case sensitive: false 8 | op: matches 9 | path: event/FILE_PATH 10 | re: .*(?:(?:windows\\(?:(?:system32)|(?:syswow64))\\tasks\\)|(?:recycle)|(?:\\windows\\fonts\\)|(?:\\windows\\help\\)|(?:\\windows\\wbem\\)|(?:\\windows\\addins\\)|(?:\\windows\\debug\\)|(?:\\perflogs\\)).* -------------------------------------------------------------------------------- /win-suspicious-exec-name.json: -------------------------------------------------------------------------------- 1 | { 2 | "event": "NEW_PROCESS", 3 | "rules": [ 4 | { 5 | "op": "is windows" 6 | }, 7 | { 8 | "path": "event/FILE_PATH", 9 | "case sensitive": false, 10 | "re": ".*(?:(?:\\.txt)|(?:\\.doc)|(?:\\.ppt)|(?:\\.xls)|(?:\\.zip)|(?:\\.rar)|(?:\\.rtf)|(?:\\.jpg)|(?:\\.gif)|(?:\\.pdf)|(?:\\.wmi)|(?:\\.avi)|(?: {5}.*))\\.exe", 11 | "op": "matches" 12 | } 13 | ], 14 | "op": "and" 15 | } -------------------------------------------------------------------------------- /win-suspicious-exec-name.yaml: -------------------------------------------------------------------------------- 1 | op: and 2 | event: NEW_PROCESS 3 | rules: 4 | op: is windows 5 | - case sensitive: false 6 | op: matches 7 | path: event/FILE_PATH 8 | re: '.*(?:(?:\.txt)|(?:\.doc)|(?:\.ppt)|(?:\.xls)|(?:\.zip)|(?:\.rar)|(?:\.rtf)|(?:\.jpg)|(?:\.gif)|(?:\.pdf)|(?:\.wmi)|(?:\.avi)|(?: {5}.*))\.exe' --------------------------------------------------------------------------------