diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
deleted file mode 100644
index efeff2dc673..00000000000
--- a/.github/workflows/pypi-publish.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
-name: Upload Sigmatools Package to PyPI
-on:
- release:
- types: [created]
-
-jobs:
- deploy:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: Set up Python
- uses: actions/setup-python@v1
- with:
- python-version: '3.x'
- - name: Install dependencies
- run: |
- python -m pip install --upgrade pip
- pip install setuptools wheel twine
- - name: Build and publish
- env:
- TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
- TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
- run: |
- make upload
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
index 28931b92ec5..d94d319dd6a 100644
--- a/.github/workflows/sigma-test.yml
+++ b/.github/workflows/sigma-test.yml
@@ -8,7 +8,7 @@ on:
branches:
- "*"
pull_request:
- branches: [ master ]
+ branches: [ master, oscd ]
jobs:
test-sigma:
@@ -22,10 +22,12 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip
- pip install -r tools/requirements.txt -r tools/requirements-devel.txt
+ pip install pipenv
+ pipenv lock
+ pipenv install --dev --deploy
- name: Test Sigma Tools and Rules
run: |
- make test
+ pipenv run make test
- name: Test SQL(ite) Backend
run: |
- make test-backend-sql
+ pipenv run make test-backend-sql
diff --git a/Makefile b/Makefile
index deeb2c735c6..9fe44fecfa2 100644
--- a/Makefile
+++ b/Makefile
@@ -57,8 +57,9 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
- $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix-custom.yml -c tools/config/stix-shifter.yml -c tools/config/stix2.0.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t chronicle -c tools/config/chronicle.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
diff --git a/Pipfile b/Pipfile
index d50536fb3bb..060d74e88cc 100644
--- a/Pipfile
+++ b/Pipfile
@@ -10,13 +10,16 @@ elasticsearch = "~=7.6"
elasticsearch-async = "~=6.2"
pytest = "~=5.4"
colorama = "*"
+setuptools = "*"
+stix2 = "*"
+attackcti = "*"
[packages]
-requests = "~=2.23"
-urllib3 = "~=1.25"
+requests = "~=2.25"
+urllib3 = "~=1.26"
progressbar2 = "~=3.47"
pymisp = "~=2.4.123"
PyYAML = "~=5.1"
[requires]
-python_version = "~=3.8.2"
+python_version = "3.8"
diff --git a/Pipfile.lock b/Pipfile.lock
index 3436ea040d3..f83fca95723 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,11 +1,11 @@
{
"_meta": {
"hash": {
- "sha256": "588c969e3c9cf945190a258f9607bbcc53ee9715d34e538b130a852459e4848a"
+ "sha256": "9d6e50bfd41bb3de5ebbae350555fe4b67c24e2c186aac053905a7740a69e8b2"
},
"pipfile-spec": 6,
"requires": {
- "python_version": "3.6"
+ "python_version": "3.8"
},
"sources": [
{
@@ -18,46 +18,38 @@
"default": {
"attrs": {
"hashes": [
- "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
- "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
+ "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
+ "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
- "version": "==19.3.0"
+ "version": "==21.2.0"
},
"certifi": {
"hashes": [
- "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
- "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
+ "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
+ "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
],
- "version": "==2019.11.28"
+ "version": "==2021.5.30"
},
"chardet": {
"hashes": [
- "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
- "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
+ "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
- "version": "==3.0.4"
+ "version": "==4.0.0"
},
"deprecated": {
"hashes": [
- "sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
- "sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
+ "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
+ "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
],
- "version": "==1.2.7"
+ "version": "==1.2.12"
},
"idna": {
"hashes": [
- "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb",
- "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa"
+ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
+ "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
],
- "version": "==2.9"
- },
- "importlib-metadata": {
- "hashes": [
- "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f",
- "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e"
- ],
- "markers": "python_version < '3.8'",
- "version": "==1.6.0"
+ "version": "==2.10"
},
"jsonschema": {
"hashes": [
@@ -68,25 +60,25 @@
},
"progressbar2": {
"hashes": [
- "sha256:2c21c14482016162852c8265da03886c2b4dea6f84e5a817ad9b39f6bd82a772",
- "sha256:7849b84c01a39e4eddd2b369a129fed5e24dfb78d484ae63f9e08e58277a2928"
+ "sha256:ef72be284e7f2b61ac0894b44165926f13f5d995b2bf3cd8a8dedc6224b255a7",
+ "sha256:fe2738e7ecb7df52ad76307fe610c460c52b50f5335fd26c3ab80ff7655ba1e0"
],
"index": "pypi",
- "version": "==3.50.1"
+ "version": "==3.53.1"
},
"pymisp": {
"hashes": [
- "sha256:1d27bc81ed492b5e6e216d099dcadf943d5c0c09457d6464ed33db8da39d0fdd",
- "sha256:318cb9cee371ce3918b3216e2c1a61938747203f89f9d42d4e4a51b40066f9b3"
+ "sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a",
+ "sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2"
],
"index": "pypi",
- "version": "==2.4.123"
+ "version": "==2.4.141.1"
},
"pyrsistent": {
"hashes": [
- "sha256:28669905fe725965daa16184933676547c5bb40a5153055a8dee2a4bd7933ad3"
+ "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
],
- "version": "==0.16.0"
+ "version": "==0.17.3"
},
"python-dateutil": {
"hashes": [
@@ -97,82 +89,125 @@
},
"python-utils": {
"hashes": [
- "sha256:ebaadab29d0cb9dca0a82eab9c405f5be5125dbbff35b8f32cc433fa498dbaa7",
- "sha256:f21fc09ff58ea5ebd1fd2e8ef7f63e39d456336900f26bdc9334a03a3f7d8089"
+ "sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208",
+ "sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349"
],
- "version": "==2.4.0"
+ "version": "==2.5.6"
},
"pyyaml": {
"hashes": [
- "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
- "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
- "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
- "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
- "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
- "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
- "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
- "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
- "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
- "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
- "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
+ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
+ "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696",
+ "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393",
+ "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77",
+ "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922",
+ "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5",
+ "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8",
+ "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10",
+ "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc",
+ "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
+ "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
+ "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
+ "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
+ "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
+ "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
+ "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
+ "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
+ "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
+ "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
+ "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
+ "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
+ "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
+ "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
+ "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
+ "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
+ "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
+ "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
+ "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
+ "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
],
"index": "pypi",
- "version": "==5.1"
+ "version": "==5.4.1"
},
"requests": {
"hashes": [
- "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee",
- "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6"
+ "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
+ "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
],
"index": "pypi",
- "version": "==2.23.0"
+ "version": "==2.25.1"
},
"six": {
"hashes": [
- "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
- "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
+ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
+ "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
- "version": "==1.14.0"
+ "version": "==1.16.0"
},
"urllib3": {
"hashes": [
- "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
- "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+ "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
+ "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
],
"index": "pypi",
- "version": "==1.25.8"
+ "version": "==1.26.5"
},
"wrapt": {
"hashes": [
"sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
],
"version": "==1.12.1"
- },
- "zipp": {
- "hashes": [
- "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b",
- "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96"
- ],
- "version": "==3.1.0"
}
},
"develop": {
"aiohttp": {
"hashes": [
- "sha256:1e984191d1ec186881ffaed4581092ba04f7c61582a177b187d3a2f07ed9719e",
- "sha256:259ab809ff0727d0e834ac5e8a283dc5e3e0ecc30c4d80b3cd17a4139ce1f326",
- "sha256:2f4d1a4fdce595c947162333353d4a44952a724fba9ca3205a3df99a33d1307a",
- "sha256:32e5f3b7e511aa850829fbe5aa32eb455e5534eaa4b1ce93231d00e2f76e5654",
- "sha256:344c780466b73095a72c616fac5ea9c4665add7fc129f285fbdbca3cccf4612a",
- "sha256:460bd4237d2dbecc3b5ed57e122992f60188afe46e7319116da5eb8a9dfedba4",
- "sha256:4c6efd824d44ae697814a2a85604d8e992b875462c6655da161ff18fd4f29f17",
- "sha256:50aaad128e6ac62e7bf7bd1f0c0a24bc968a0c0590a726d5a955af193544bcec",
- "sha256:6206a135d072f88da3e71cc501c59d5abffa9d0bb43269a6dcd28d66bfafdbdd",
- "sha256:65f31b622af739a802ca6fd1a3076fd0ae523f8485c52924a89561ba10c49b48",
- "sha256:ae55bac364c405caa23a4f2d6cfecc6a0daada500274ffca4a9230e7129eac59",
- "sha256:b778ce0c909a2653741cb4b1ac7015b5c130ab9c897611df43ae6a58523cb965"
- ],
- "version": "==3.6.2"
+ "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe",
+ "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe",
+ "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5",
+ "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8",
+ "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd",
+ "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb",
+ "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c",
+ "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87",
+ "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0",
+ "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290",
+ "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5",
+ "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287",
+ "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde",
+ "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf",
+ "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8",
+ "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16",
+ "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf",
+ "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809",
+ "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213",
+ "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f",
+ "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013",
+ "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b",
+ "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9",
+ "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5",
+ "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb",
+ "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df",
+ "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4",
+ "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439",
+ "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f",
+ "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22",
+ "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f",
+ "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5",
+ "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970",
+ "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009",
+ "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc",
+ "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
+ "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
+ ],
+ "version": "==3.7.4.post0"
+ },
+ "antlr4-python3-runtime": {
+ "hashes": [
+ "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33"
+ ],
+ "markers": "python_version >= '3'",
+ "version": "==4.8"
},
"async-timeout": {
"hashes": [
@@ -181,72 +216,108 @@
],
"version": "==3.0.1"
},
+ "attackcti": {
+ "hashes": [
+ "sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f",
+ "sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9"
+ ],
+ "index": "pypi",
+ "version": "==0.3.4.3"
+ },
"attrs": {
"hashes": [
- "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
- "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
+ "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
+ "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
- "version": "==19.3.0"
+ "version": "==21.2.0"
+ },
+ "certifi": {
+ "hashes": [
+ "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
+ "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
+ ],
+ "version": "==2021.5.30"
},
"chardet": {
"hashes": [
- "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
- "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
+ "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
- "version": "==3.0.4"
+ "version": "==4.0.0"
},
"colorama": {
"hashes": [
- "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
- "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
+ "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b",
+ "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"
],
"index": "pypi",
- "version": "==0.4.3"
+ "version": "==0.4.4"
},
"coverage": {
"hashes": [
- "sha256:03f630aba2b9b0d69871c2e8d23a69b7fe94a1e2f5f10df5049c0df99db639a0",
- "sha256:046a1a742e66d065d16fb564a26c2a15867f17695e7f3d358d7b1ad8a61bca30",
- "sha256:0a907199566269e1cfa304325cc3b45c72ae341fbb3253ddde19fa820ded7a8b",
- "sha256:165a48268bfb5a77e2d9dbb80de7ea917332a79c7adb747bd005b3a07ff8caf0",
- "sha256:1b60a95fc995649464e0cd48cecc8288bac5f4198f21d04b8229dc4097d76823",
- "sha256:1f66cf263ec77af5b8fe14ef14c5e46e2eb4a795ac495ad7c03adc72ae43fafe",
- "sha256:2e08c32cbede4a29e2a701822291ae2bc9b5220a971bba9d1e7615312efd3037",
- "sha256:3844c3dab800ca8536f75ae89f3cf566848a3eb2af4d9f7b1103b4f4f7a5dad6",
- "sha256:408ce64078398b2ee2ec08199ea3fcf382828d2f8a19c5a5ba2946fe5ddc6c31",
- "sha256:443be7602c790960b9514567917af538cac7807a7c0c0727c4d2bbd4014920fd",
- "sha256:4482f69e0701139d0f2c44f3c395d1d1d37abd81bfafbf9b6efbe2542679d892",
- "sha256:4a8a259bf990044351baf69d3b23e575699dd60b18460c71e81dc565f5819ac1",
- "sha256:513e6526e0082c59a984448f4104c9bf346c2da9961779ede1fc458e8e8a1f78",
- "sha256:5f587dfd83cb669933186661a351ad6fc7166273bc3e3a1531ec5c783d997aac",
- "sha256:62061e87071497951155cbccee487980524d7abea647a1b2a6eb6b9647df9006",
- "sha256:641e329e7f2c01531c45c687efcec8aeca2a78a4ff26d49184dce3d53fc35014",
- "sha256:65a7e00c00472cd0f59ae09d2fb8a8aaae7f4a0cf54b2b74f3138d9f9ceb9cb2",
- "sha256:6ad6ca45e9e92c05295f638e78cd42bfaaf8ee07878c9ed73e93190b26c125f7",
- "sha256:73aa6e86034dad9f00f4bbf5a666a889d17d79db73bc5af04abd6c20a014d9c8",
- "sha256:7c9762f80a25d8d0e4ab3cb1af5d9dffbddb3ee5d21c43e3474c84bf5ff941f7",
- "sha256:85596aa5d9aac1bf39fe39d9fa1051b0f00823982a1de5766e35d495b4a36ca9",
- "sha256:86a0ea78fd851b313b2e712266f663e13b6bc78c2fb260b079e8b67d970474b1",
- "sha256:8a620767b8209f3446197c0e29ba895d75a1e272a36af0786ec70fe7834e4307",
- "sha256:922fb9ef2c67c3ab20e22948dcfd783397e4c043a5c5fa5ff5e9df5529074b0a",
- "sha256:9fad78c13e71546a76c2f8789623eec8e499f8d2d799f4b4547162ce0a4df435",
- "sha256:a37c6233b28e5bc340054cf6170e7090a4e85069513320275a4dc929144dccf0",
- "sha256:c3fc325ce4cbf902d05a80daa47b645d07e796a80682c1c5800d6ac5045193e5",
- "sha256:cda33311cb9fb9323958a69499a667bd728a39a7aa4718d7622597a44c4f1441",
- "sha256:db1d4e38c9b15be1521722e946ee24f6db95b189d1447fa9ff18dd16ba89f732",
- "sha256:eda55e6e9ea258f5e4add23bcf33dc53b2c319e70806e180aecbff8d90ea24de",
- "sha256:f372cdbb240e09ee855735b9d85e7f50730dcfb6296b74b95a3e5dea0615c4c1"
+ "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c",
+ "sha256:01d84219b5cdbfc8122223b39a954820929497a1cb1422824bb86b07b74594b6",
+ "sha256:040af6c32813fa3eae5305d53f18875bedd079960822ef8ec067a66dd8afcd45",
+ "sha256:06191eb60f8d8a5bc046f3799f8a07a2d7aefb9504b0209aff0b47298333302a",
+ "sha256:13034c4409db851670bc9acd836243aeee299949bd5673e11844befcb0149f03",
+ "sha256:13c4ee887eca0f4c5a247b75398d4114c37882658300e153113dafb1d76de529",
+ "sha256:184a47bbe0aa6400ed2d41d8e9ed868b8205046518c52464fde713ea06e3a74a",
+ "sha256:18ba8bbede96a2c3dde7b868de9dcbd55670690af0988713f0603f037848418a",
+ "sha256:1aa846f56c3d49205c952d8318e76ccc2ae23303351d9270ab220004c580cfe2",
+ "sha256:217658ec7187497e3f3ebd901afdca1af062b42cfe3e0dafea4cced3983739f6",
+ "sha256:24d4a7de75446be83244eabbff746d66b9240ae020ced65d060815fac3423759",
+ "sha256:2910f4d36a6a9b4214bb7038d537f015346f413a975d57ca6b43bf23d6563b53",
+ "sha256:2949cad1c5208b8298d5686d5a85b66aae46d73eec2c3e08c817dd3513e5848a",
+ "sha256:2a3859cb82dcbda1cfd3e6f71c27081d18aa251d20a17d87d26d4cd216fb0af4",
+ "sha256:2cafbbb3af0733db200c9b5f798d18953b1a304d3f86a938367de1567f4b5bff",
+ "sha256:2e0d881ad471768bf6e6c2bf905d183543f10098e3b3640fc029509530091502",
+ "sha256:30c77c1dc9f253283e34c27935fded5015f7d1abe83bc7821680ac444eaf7793",
+ "sha256:3487286bc29a5aa4b93a072e9592f22254291ce96a9fbc5251f566b6b7343cdb",
+ "sha256:372da284cfd642d8e08ef606917846fa2ee350f64994bebfbd3afb0040436905",
+ "sha256:41179b8a845742d1eb60449bdb2992196e211341818565abded11cfa90efb821",
+ "sha256:44d654437b8ddd9eee7d1eaee28b7219bec228520ff809af170488fd2fed3e2b",
+ "sha256:4a7697d8cb0f27399b0e393c0b90f0f1e40c82023ea4d45d22bce7032a5d7b81",
+ "sha256:51cb9476a3987c8967ebab3f0fe144819781fca264f57f89760037a2ea191cb0",
+ "sha256:52596d3d0e8bdf3af43db3e9ba8dcdaac724ba7b5ca3f6358529d56f7a166f8b",
+ "sha256:53194af30d5bad77fcba80e23a1441c71abfb3e01192034f8246e0d8f99528f3",
+ "sha256:5fec2d43a2cc6965edc0bb9e83e1e4b557f76f843a77a2496cbe719583ce8184",
+ "sha256:6c90e11318f0d3c436a42409f2749ee1a115cd8b067d7f14c148f1ce5574d701",
+ "sha256:74d881fc777ebb11c63736622b60cb9e4aee5cace591ce274fb69e582a12a61a",
+ "sha256:7501140f755b725495941b43347ba8a2777407fc7f250d4f5a7d2a1050ba8e82",
+ "sha256:796c9c3c79747146ebd278dbe1e5c5c05dd6b10cc3bcb8389dfdf844f3ead638",
+ "sha256:869a64f53488f40fa5b5b9dcb9e9b2962a66a87dab37790f3fcfb5144b996ef5",
+ "sha256:8963a499849a1fc54b35b1c9f162f4108017b2e6db2c46c1bed93a72262ed083",
+ "sha256:8d0a0725ad7c1a0bcd8d1b437e191107d457e2ec1084b9f190630a4fb1af78e6",
+ "sha256:900fbf7759501bc7807fd6638c947d7a831fc9fdf742dc10f02956ff7220fa90",
+ "sha256:92b017ce34b68a7d67bd6d117e6d443a9bf63a2ecf8567bb3d8c6c7bc5014465",
+ "sha256:970284a88b99673ccb2e4e334cfb38a10aab7cd44f7457564d11898a74b62d0a",
+ "sha256:972c85d205b51e30e59525694670de6a8a89691186012535f9d7dbaa230e42c3",
+ "sha256:9a1ef3b66e38ef8618ce5fdc7bea3d9f45f3624e2a66295eea5e57966c85909e",
+ "sha256:af0e781009aaf59e25c5a678122391cb0f345ac0ec272c7961dc5455e1c40066",
+ "sha256:b6d534e4b2ab35c9f93f46229363e17f63c53ad01330df9f2d6bd1187e5eaacf",
+ "sha256:b7895207b4c843c76a25ab8c1e866261bcfe27bfaa20c192de5190121770672b",
+ "sha256:c0891a6a97b09c1f3e073a890514d5012eb256845c451bd48f7968ef939bf4ae",
+ "sha256:c2723d347ab06e7ddad1a58b2a821218239249a9e4365eaff6649d31180c1669",
+ "sha256:d1f8bf7b90ba55699b3a5e44930e93ff0189aa27186e96071fac7dd0d06a1873",
+ "sha256:d1f9ce122f83b2305592c11d64f181b87153fc2c2bbd3bb4a3dde8303cfb1a6b",
+ "sha256:d314ed732c25d29775e84a960c3c60808b682c08d86602ec2c3008e1202e3bb6",
+ "sha256:d636598c8305e1f90b439dbf4f66437de4a5e3c31fdf47ad29542478c8508bbb",
+ "sha256:deee1077aae10d8fa88cb02c845cfba9b62c55e1183f52f6ae6a2df6a2187160",
+ "sha256:ebe78fe9a0e874362175b02371bdfbee64d8edc42a044253ddf4ee7d3c15212c",
+ "sha256:f030f8873312a16414c0d8e1a1ddff2d3235655a2174e3648b4fa66b3f2f1079",
+ "sha256:f0b278ce10936db1a37e6954e15a3730bea96a0997c26d7fee88e6c396c2086d",
+ "sha256:f11642dddbb0253cc8853254301b51390ba0081750a8ac03f20ea8103f0c56b6"
],
"index": "pypi",
- "version": "==5.0.4"
+ "version": "==5.5"
},
"elasticsearch": {
"hashes": [
- "sha256:d228b2d37ac0865f7631335268172dbdaa426adec1da3ed006dddf05134f89c8",
- "sha256:f4bb05cfe55cf369bdcb4d86d0129d39d66a91fd9517b13cd4e4231fbfcf5c81"
+ "sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0",
+ "sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378"
],
"index": "pypi",
- "version": "==7.6.0"
+ "version": "==7.12.0"
},
"elasticsearch-async": {
"hashes": [
@@ -258,68 +329,73 @@
},
"idna": {
"hashes": [
- "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb",
- "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa"
- ],
- "version": "==2.9"
- },
- "idna-ssl": {
- "hashes": [
- "sha256:a933e3bb13da54383f9e8f35dc4f9cb9eb9b3b78c6b36f311254d6d0d92c6c7c"
- ],
- "markers": "python_version < '3.7'",
- "version": "==1.1.0"
- },
- "importlib-metadata": {
- "hashes": [
- "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f",
- "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e"
+ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
+ "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
],
- "markers": "python_version < '3.8'",
- "version": "==1.6.0"
+ "version": "==2.10"
},
"more-itertools": {
"hashes": [
- "sha256:5dd8bcf33e5f9513ffa06d5ad33d78f31e1931ac9a18f33d37e77a180d393a7c",
- "sha256:b1ddb932186d8a6ac451e1d95844b382f55e12686d51ca0c68b6f61f2ab7a507"
+ "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d",
+ "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a"
],
- "version": "==8.2.0"
+ "version": "==8.8.0"
},
"multidict": {
"hashes": [
- "sha256:317f96bc0950d249e96d8d29ab556d01dd38888fbe68324f46fd834b430169f1",
- "sha256:42f56542166040b4474c0c608ed051732033cd821126493cf25b6c276df7dd35",
- "sha256:4b7df040fb5fe826d689204f9b544af469593fb3ff3a069a6ad3409f742f5928",
- "sha256:544fae9261232a97102e27a926019100a9db75bec7b37feedd74b3aa82f29969",
- "sha256:620b37c3fea181dab09267cd5a84b0f23fa043beb8bc50d8474dd9694de1fa6e",
- "sha256:6e6fef114741c4d7ca46da8449038ec8b1e880bbe68674c01ceeb1ac8a648e78",
- "sha256:7774e9f6c9af3f12f296131453f7b81dabb7ebdb948483362f5afcaac8a826f1",
- "sha256:85cb26c38c96f76b7ff38b86c9d560dea10cf3459bb5f4caf72fc1bb932c7136",
- "sha256:a326f4240123a2ac66bb163eeba99578e9d63a8654a59f4688a79198f9aa10f8",
- "sha256:ae402f43604e3b2bc41e8ea8b8526c7fa7139ed76b0d64fc48e28125925275b2",
- "sha256:aee283c49601fa4c13adc64c09c978838a7e812f85377ae130a24d7198c0331e",
- "sha256:b51249fdd2923739cd3efc95a3d6c363b67bbf779208e9f37fd5e68540d1a4d4",
- "sha256:bb519becc46275c594410c6c28a8a0adc66fe24fef154a9addea54c1adb006f5",
- "sha256:c2c37185fb0af79d5c117b8d2764f4321eeb12ba8c141a95d0aa8c2c1d0a11dd",
- "sha256:dc561313279f9d05a3d0ffa89cd15ae477528ea37aa9795c4654588a3287a9ab",
- "sha256:e439c9a10a95cb32abd708bb8be83b2134fa93790a4fb0535ca36db3dda94d20",
- "sha256:fc3b4adc2ee8474cb3cd2a155305d5f8eda0a9c91320f83e55748e1fcb68f8e3"
- ],
- "version": "==4.7.5"
+ "sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a",
+ "sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93",
+ "sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632",
+ "sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656",
+ "sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79",
+ "sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7",
+ "sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d",
+ "sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5",
+ "sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224",
+ "sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26",
+ "sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea",
+ "sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348",
+ "sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6",
+ "sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76",
+ "sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1",
+ "sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f",
+ "sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952",
+ "sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a",
+ "sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37",
+ "sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9",
+ "sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359",
+ "sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8",
+ "sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da",
+ "sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3",
+ "sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d",
+ "sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf",
+ "sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841",
+ "sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d",
+ "sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93",
+ "sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f",
+ "sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647",
+ "sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635",
+ "sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456",
+ "sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda",
+ "sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5",
+ "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
+ "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
+ ],
+ "version": "==5.1.0"
},
"packaging": {
"hashes": [
- "sha256:3c292b474fda1671ec57d46d739d072bfd495a4f51ad01a055121d81e952b7a3",
- "sha256:82f77b9bee21c1bafbf35a84905d604d5d1223801d639cf3ed140bd651c08752"
+ "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5",
+ "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a"
],
- "version": "==20.3"
+ "version": "==20.9"
},
"pathspec": {
"hashes": [
- "sha256:163b0632d4e31cef212976cf57b43d9fd6b0bac6e67c26015d611a647d5e7424",
- "sha256:562aa70af2e0d434367d9790ad37aed893de47f1693e4201fd1d3dca15d19b96"
+ "sha256:86379d6b86d75816baba717e64b1a3a3469deb93bb76d613c9ce79edc5cb68fd",
+ "sha256:aa0cb481c4041bf52ffa7b0d8fa6cd3e88a2ca4879c533c9153882ee2556790d"
],
- "version": "==0.7.0"
+ "version": "==0.8.1"
},
"pluggy": {
"hashes": [
@@ -330,110 +406,227 @@
},
"py": {
"hashes": [
- "sha256:5e27081401262157467ad6e7f851b7aa402c5852dbcb3dae06768434de5752aa",
- "sha256:c20fdd83a5dbc0af9efd622bee9a5564e278f6380fffcacc43ba6f43db2813b0"
+ "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
+ "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
],
- "version": "==1.8.1"
+ "version": "==1.10.0"
},
"pyparsing": {
"hashes": [
- "sha256:4c830582a84fb022400b85429791bc551f1f4871c33f23e44f353119e92f969f",
- "sha256:c342dccb5250c08d45fd6f8b4a559613ca603b57498511740e65cd11a2e7dcec"
+ "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
+ "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
- "version": "==2.4.6"
+ "version": "==2.4.7"
},
"pytest": {
"hashes": [
- "sha256:0e5b30f5cb04e887b91b1ee519fa3d89049595f428c1db76e73bd7f17b09b172",
- "sha256:84dde37075b8805f3d1f392cc47e38a0e59518fb46a431cfdaf7cf1ce805f970"
+ "sha256:5c0db86b698e8f170ba4582a492248919255fcd4c79b1ee64ace34301fb589a1",
+ "sha256:7979331bfcba207414f5e1263b5a0f8f521d0f457318836a7355531ed1a4c7d8"
],
"index": "pypi",
- "version": "==5.4.1"
+ "version": "==5.4.3"
+ },
+ "pytz": {
+ "hashes": [
+ "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da",
+ "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798"
+ ],
+ "version": "==2021.1"
},
"pyyaml": {
"hashes": [
- "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
- "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
- "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
- "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
- "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
- "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
- "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
- "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
- "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
- "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
- "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
+ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
+ "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696",
+ "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393",
+ "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77",
+ "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922",
+ "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5",
+ "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8",
+ "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10",
+ "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc",
+ "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
+ "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
+ "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
+ "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
+ "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
+ "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
+ "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
+ "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
+ "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
+ "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
+ "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
+ "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
+ "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
+ "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
+ "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
+ "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
+ "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
+ "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
+ "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
+ "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
+ ],
+ "index": "pypi",
+ "version": "==5.4.1"
+ },
+ "requests": {
+ "hashes": [
+ "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
+ "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
],
"index": "pypi",
- "version": "==5.1"
+ "version": "==2.25.1"
+ },
+ "simplejson": {
+ "hashes": [
+ "sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667",
+ "sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3",
+ "sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043",
+ "sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb",
+ "sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0",
+ "sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d",
+ "sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8",
+ "sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f",
+ "sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf",
+ "sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748",
+ "sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278",
+ "sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4",
+ "sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a",
+ "sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8",
+ "sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d",
+ "sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971",
+ "sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841",
+ "sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f",
+ "sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b",
+ "sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45",
+ "sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9",
+ "sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6",
+ "sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc",
+ "sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956",
+ "sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d",
+ "sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746",
+ "sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a",
+ "sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0",
+ "sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25",
+ "sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625",
+ "sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995",
+ "sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46",
+ "sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f",
+ "sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a",
+ "sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139",
+ "sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f",
+ "sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da",
+ "sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34",
+ "sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b",
+ "sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94",
+ "sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04",
+ "sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b",
+ "sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396",
+ "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06",
+ "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb"
+ ],
+ "version": "==3.17.2"
},
"six": {
"hashes": [
- "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
- "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
+ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
+ "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
+ ],
+ "version": "==1.16.0"
+ },
+ "stix2": {
+ "hashes": [
+ "sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938",
+ "sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4"
+ ],
+ "index": "pypi",
+ "version": "==2.1.0"
+ },
+ "stix2-patterns": {
+ "hashes": [
+ "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4",
+ "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992"
+ ],
+ "version": "==1.3.2"
+ },
+ "taxii2-client": {
+ "hashes": [
+ "sha256:b4212b8a8bab170cd5dc386ca3ea36bc44b53932f1da30db150abeef00bce7b9",
+ "sha256:fb3bf895e2eaff3cd08bb7aad75c9d30682ffc00b9f3add77de3a67dc6b895a3"
],
- "version": "==1.14.0"
+ "version": "==2.3.0"
},
"typing-extensions": {
"hashes": [
- "sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2",
- "sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d",
- "sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575"
+ "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
+ "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
+ "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
],
- "markers": "python_version < '3.7'",
- "version": "==3.7.4.1"
+ "version": "==3.10.0.0"
},
"urllib3": {
"hashes": [
- "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
- "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+ "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
+ "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
],
"index": "pypi",
- "version": "==1.25.8"
+ "version": "==1.26.5"
},
"wcwidth": {
"hashes": [
- "sha256:cafe2186b3c009a04067022ce1dcd79cb38d8d65ee4f4791b8888d6599d1bbe1",
- "sha256:ee73862862a156bf77ff92b09034fc4825dd3af9cf81bc5b360668d425f3c5f1"
+ "sha256:beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784",
+ "sha256:c4d647b99872929fdb7bdcaa4fbe7f01413ed3d98077df798530e5b04f116c83"
],
- "version": "==0.1.9"
+ "version": "==0.2.5"
},
"yamllint": {
"hashes": [
- "sha256:09d554bafc57beb22b01619c94e1ba0e8fbb016fa9c1b35ddc68d7bfc16d177f",
- "sha256:7e1e698b3d344b64bc46cbe8c4df7dfdfe7c00ed1a8d1c851ecd5b552d93d193"
+ "sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637",
+ "sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087"
],
"index": "pypi",
- "version": "==1.21.0"
+ "version": "==1.26.0"
},
"yarl": {
"hashes": [
- "sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce",
- "sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6",
- "sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce",
- "sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae",
- "sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d",
- "sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f",
- "sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b",
- "sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b",
- "sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb",
- "sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462",
- "sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea",
- "sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70",
- "sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1",
- "sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a",
- "sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b",
- "sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080",
- "sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2"
- ],
- "version": "==1.4.2"
- },
- "zipp": {
- "hashes": [
- "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b",
- "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96"
- ],
- "version": "==3.1.0"
+ "sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e",
+ "sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434",
+ "sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366",
+ "sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3",
+ "sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec",
+ "sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959",
+ "sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e",
+ "sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c",
+ "sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6",
+ "sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a",
+ "sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6",
+ "sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424",
+ "sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e",
+ "sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f",
+ "sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50",
+ "sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2",
+ "sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc",
+ "sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4",
+ "sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970",
+ "sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10",
+ "sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0",
+ "sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406",
+ "sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896",
+ "sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643",
+ "sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721",
+ "sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478",
+ "sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724",
+ "sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e",
+ "sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8",
+ "sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96",
+ "sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25",
+ "sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76",
+ "sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2",
+ "sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2",
+ "sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c",
+ "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
+ "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
+ ],
+ "version": "==1.6.3"
}
}
}
diff --git a/README.md b/README.md
index bd5182d4cc8..bcf458e0664 100644
--- a/README.md
+++ b/README.md
@@ -40,9 +40,9 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
# Why Sigma
-Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
+Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
-Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
## Slides
@@ -52,7 +52,7 @@ See the first slide deck that I prepared for a private conference in mid January
# Specification
-The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification).
+The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification).
The current specification is a proposal. Feedback is requested.
@@ -62,7 +62,7 @@ The current specification is a proposal. Feedback is requested.
Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
-## Rule Usage
+## Rule Usage
1. Download or clone the repository
2. Check the `./rules` sub directory for an overview on the rule base
@@ -106,7 +106,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
```bash
usage: sigmac [-h] [--recurse] [--filter FILTER]
- [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}]
+ [--target {sqlite,netwitness-epl,logpoint,graylog,netwitness,arcsight,carbonblack,es-rule,ala,elastalert-dsl,splunkxml,fieldlist,sysmon,arcsight-esm,kibana,csharp,qualys,powershell,es-qs,mdatp,humio,grep,qradar,logiq,sql,sumologic,ala-rule,limacharlie,elastalert,splunk,stix,xpack-watcher,crowdstrike,es-dsl,ee-outliers}]
[--target-list] [--config CONFIG] [--output OUTPUT]
[--backend-option BACKEND_OPTION] [--defer-abort]
[--ignore-backend-errors] [--verbose] [--debug]
@@ -131,7 +131,7 @@ optional arguments:
tag that must appear in the rules tag list, case-
insensitive matching. Multiple log source
specifications are AND linked.
- --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}
+ --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}
Output target format
--target-list, -l List available output target formats
--config CONFIG, -c CONFIG
@@ -172,13 +172,13 @@ Translate a whole rule directory and ignore backend errors (`-I`) in rule conver
```
tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/
```
-#### Rule Set Translation with Custom Config
+#### Rule Set Translation with Custom Config
Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
```
tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
```
#### Generic Rule Set Translation
-Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`)
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`)
```
tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
```
@@ -209,7 +209,9 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
* [LimaCharlie](https://limacharlie.io)
* [ee-outliers](https://github.com/NVISO-BE/ee-outliers)
* [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html)
+* [LOGIQ](https://www.logiq.ai)
* [uberAgent ESA](https://uberagent.com/)
+* [Devo](https://devo.com)
Current work-in-progress
* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
@@ -228,16 +230,18 @@ It's available on PyPI. Install with:
pip3 install sigmatools
```
-Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with [Pipenv](https://pypi.org/project/pipenv/).
+Run the following command to get a shell with the installed requirements:
```bash
-pip3 install -r tools/requirements.txt
+pipenv shell
```
For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
```bash
-pip3 install -r tools/requirements-devel.txt
+pipenv install --dev
+pipenv shell
```
## Sigma2MISP
@@ -251,7 +255,7 @@ Example:
*misp.conf*:
```
url https://host
-key foobarfoobarfoobarfoobarfoobarfoobarfoo
+key foobarfoobarfoobarfoobarfoobarfoobarfoo
```
Load Sigma rule into MISP event 1234:
@@ -266,7 +270,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
## Evt2Sigma
-[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry.
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry.
## Sigma2attack
@@ -291,7 +295,7 @@ Result once imported in the MITRE ATT&CK® Navigator ([online version](https://m
## S2AN
-Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules.
+Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules.
S2AN was developed to be used as a standalone tool or as part of a CI/CD pipeline where it can be quickly downloaded and executed without external dependencies.
@@ -317,11 +321,11 @@ These tools are not part of the main toolchain and maintained separately by thei
* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
* [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
* [Joe Sandbox](https://www.joesecurity.org/)
-* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
-* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
+* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
Sigma is available in some Linux distribution repositories:
@@ -333,10 +337,10 @@ If you want to contribute, you are more then welcome. There are numerous ways to
## Use it and provide feedback
-If you use it, let us know what works and what does not work.
+If you use it, let us know what works and what does not work.
E.g.
-- Tell us about false positives (issues section)
+- Tell us about false positives (issues section)
- Try to provide an improved rule (new filter) via [pull request](https://help.github.com/en/articles/editing-files-in-another-users-repository) on that rule
## Work on open issues
@@ -345,7 +349,7 @@ The github issue tracker is a good place to start tackling some issues others ra
## Provide Backends / Backend Features / Bugfixes
-Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions.
+Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions.
## Spread the word
diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
new file mode 100644
index 00000000000..bcd2772a327
--- /dev/null
+++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
@@ -0,0 +1,42 @@
+title: Always Install Elevated Parent Child Correlated
+id: 078235c5-6ec5-48e7-94b2-f8b5474379ea
+description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege
+#look for MSI start by low privilege user, write the process guid to the suspicious_guid variable
+#look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ system_integrity:
+ IntegrityLevel: 'System'
+ system_user:
+ User: 'NT AUTHORITY\SYSTEM'
+ image_1:
+ Image|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ Image|endswith:
+ - 'tmp'
+ image_2:
+ Image|endswith: '\msiexec.exe'
+ child_of_suspicious_guid:
+ ParentProcessGuid: '%suspicious_guid%'
+ condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert
+fields:
+ - EventID
+ - IntegrityLevel
+ - User
+ - Image
+ ParentProcessGuid
+falsepositives:
+ - System administrator usage
+ - Penetration test
+level: high
\ No newline at end of file
diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
new file mode 100644
index 00000000000..c8f95ed7820
--- /dev/null
+++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
@@ -0,0 +1,29 @@
+title: Stored Credentials in Fake Files
+id: 692b979c-f747-41dc-ad72-1f11c01b110e
+description: Search for accessing of fake files with stored credentials
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg
+tags:
+ - attack.credential_access
+ - attack.t1555
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4663
+ AccessList|contains: '%%4416'
+ ObjectName|endswith:
+ - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
+ - '\%FOLDER_NAME%\Unattend.xml'
+ condition: selection
+fields:
+ - EventID
+ - AccessList
+ - ObjectName
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/win_remote_schtask.yml
new file mode 100644
index 00000000000..5730b930e34
--- /dev/null
+++ b/rules-unsupported/win_remote_schtask.yml
@@ -0,0 +1,44 @@
+title: Remote Schtasks Creation
+id: cf349c4b-99af-40fa-a051-823aa2307a84
+status: experimental
+description: Detects remote execution via scheduled task creation or update on the destination host
+author: Jai Minton, oscd.community
+date: 2020/10/05
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+ - attack.lateral_movement
+ - attack.persistence
+ - attack.execution
+ - attack.t1053.005
+logsource:
+ product: windows
+ service: security
+ definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).'
+detection:
+ selection1:
+ EventID: 4624
+ Logon_Type: 3
+ selection2:
+ EventID:
+ - 4698
+ - 4702
+ filter1:
+ Source_Network_Address:
+ - '::1'
+ - '127.0.0.1'
+ filter2:
+ Source_Network_Address: '-'
+ timeframe: 30d
+ condition: (selection1 and not filter1) or selection2 and not filter2
+ # where:
+ # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
+ # Rule should trigger where the SubjectLogonID from event 4698 or 4702 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
+ # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe.
+ # This takes both field values (e.g. Logon_ID), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
+ # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time.
+ # By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
+ # Rule logic is currently not supported by SIGMA.
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/win_remote_service.yml
new file mode 100644
index 00000000000..75654260cde
--- /dev/null
+++ b/rules-unsupported/win_remote_service.yml
@@ -0,0 +1,50 @@
+action: global
+title: Remote Service Creation
+id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46
+status: experimental
+description: Detects remote execution via service creation on the destination host
+author: Jai Minton, oscd.community
+date: 2020/10/05
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+ - attack.lateral_movement
+ - attack.persistence
+ - attack.execution
+ - attack.t1543.003
+detection:
+ selection1:
+ EventID: 4624
+ Logon_Type: 3
+ filter1:
+ Source_Network_Address:
+ - '::1'
+ - '127.0.0.1'
+ timeframe: 30s
+ condition: (selection1 and not filter1) or selection2
+ # where:
+ # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
+ # Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
+ # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe.
+ # This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
+ # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time.
+ # By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
+ # Rule logic is currently not supported by SIGMA.
+
+falsepositives:
+ - Unknown
+level: medium
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection2:
+ EventID: 4697
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection2:
+ EventID: 7045
\ No newline at end of file
diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws_ec2_vm_export_failure.yml
index 2d5a3265783..dff7a078edc 100644
--- a/rules/cloud/aws_ec2_vm_export_failure.yml
+++ b/rules/cloud/aws_ec2_vm_export_failure.yml
@@ -18,7 +18,7 @@ detection:
errorCode: '*'
filter3:
eventName: 'ConsoleLogin'
- responseElements: '*Failure*'
+ responseElements|contains: 'Failure'
condition: selection and (filter1 or filter2 or filter3)
level: low
tags:
diff --git a/rules/cloud/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws_snapshot_backup_exfiltration.yml
new file mode 100644
index 00000000000..e2f5b9e8172
--- /dev/null
+++ b/rules/cloud/aws_snapshot_backup_exfiltration.yml
@@ -0,0 +1,24 @@
+title: AWS Snapshot Backup Exfiltration
+id: abae8fec-57bd-4f87-aff6-6e3db989843d
+status: test
+description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
+author: Darin Smith
+date: 2021/05/17
+references:
+ - https://www.justice.gov/file/1080281/download
+ - https://attack.mitre.org/techniques/T1537/
+logsource:
+ service: cloudtrail
+detection:
+ selection_source:
+ - eventSource: cloudtrail.amazonaws.com
+ events:
+ - eventName:
+ - ModifySnapshotAttribute
+ condition: selection_source AND events
+falsepositives:
+ - Valid change to a snapshot's permissions
+level: medium
+tags:
+ - attack.exfiltration
+ - attack.t1537
diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml
index cda7793817f..eb1acd9c902 100644
--- a/rules/compliance/cleartext_protocols.yml
+++ b/rules/compliance/cleartext_protocols.yml
@@ -81,7 +81,7 @@ detection:
condition: selection
---
logsource:
- product: firewall
+ category: firewall
detection:
selection1:
destination.port:
diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml
index 26432714203..cab122e0b13 100644
--- a/rules/compliance/host_without_firewall.yml
+++ b/rules/compliance/host_without_firewall.yml
@@ -4,12 +4,13 @@ status: stable
description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/19
+modified: 2021/05/30
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
logsource:
- product: Qualys
+ product: qualys
detection:
selection:
event.category: Security Policy
diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml
new file mode 100644
index 00000000000..81e3802ea1a
--- /dev/null
+++ b/rules/linux/at_command.yml
@@ -0,0 +1,23 @@
+title: Scheduled Task/Job At
+id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
+status: stable
+description: Detects the use of at/atd
+author: Ömer Günal, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ ProcessName|endswith:
+ - '/at'
+ - '/atd'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.persistence
+ - attack.t1053.001
diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml
index 872398f623d..4c1d6f6bac6 100644
--- a/rules/linux/auditd/lnx_auditd_create_account.yml
+++ b/rules/linux/auditd/lnx_auditd_create_account.yml
@@ -12,7 +12,7 @@ logsource:
detection:
selection:
type: 'SYSCALL'
- exe: '*/useradd'
+ exe|endswith: '/useradd'
condition: selection
falsepositives:
- Admin activity
@@ -20,4 +20,4 @@ level: medium
tags:
- attack.t1136 # an old one
- attack.t1136.001
- - attack.persistence
\ No newline at end of file
+ - attack.persistence
diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
index 0dfbfe404a4..c76769bc902 100644
--- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
@@ -16,9 +16,9 @@ detection:
a0: 'cp'
a1: '-i'
a2: '/bin/sh'
- a3: '*/crond'
+ a3|endswith: '/crond'
condition: selection
level: medium
tags:
- attack.defense_evasion
- - attack.t1036.003
\ No newline at end of file
+ - attack.t1036.003
diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
index 64175ef8a94..4cbc91f86e9 100644
--- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
+++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
@@ -12,26 +12,26 @@ logsource:
detection:
selection:
type: 'SYSCALL'
- exe:
+ exe|startswith:
# Temporary folder
- - '/tmp/*'
+ - '/tmp/'
# Web server
- - '/var/www/*' # Standard
- - '/home/*/public_html/*' # Per-user
- - '/usr/local/apache2/*' # Classical Apache
- - '/usr/local/httpd/*' # Old SuSE Linux 6.* Apache
- - '/var/apache/*' # Solaris Apache
- - '/srv/www/*' # SuSE Linux 9.*
- - '/home/httpd/html/*' # Redhat 6 or older Apache
- - '/srv/http/*' # ArchLinux standard
- - '/usr/share/nginx/html/*' # ArchLinux nginx
+ - '/var/www/' # Standard
+ - '/home/*/public_html/' # Per-user
+ - '/usr/local/apache2/' # Classical Apache
+ - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
+ - '/var/apache/' # Solaris Apache
+ - '/srv/www/' # SuSE Linux 9.*
+ - '/home/httpd/html/' # Redhat 6 or older Apache
+ - '/srv/http/' # ArchLinux standard
+ - '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- - '/var/lib/pgsql/data/*'
- - '/usr/local/mysql/data/*'
- - '/var/lib/mysql/*'
- - '/var/vsftpd/*'
- - '/etc/bind/*'
- - '/var/named/*'
+ - '/var/lib/pgsql/data/'
+ - '/usr/local/mysql/data/'
+ - '/var/lib/mysql/'
+ - '/var/vsftpd/'
+ - '/etc/bind/'
+ - '/var/named/'
condition: selection
falsepositives:
- Admin activity (especially in /tmp folders)
diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml
new file mode 100644
index 00000000000..62620cf4bb0
--- /dev/null
+++ b/rules/linux/lnx_base64_decode.yml
@@ -0,0 +1,22 @@
+title: Decode Base64 Encoded Text
+id: e2072cab-8c9a-459b-b63c-40ae79e27031
+status: experimental
+description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ base64_execution:
+ Image|endswith: '/base64'
+ CommandLine|contains: '-d'
+ condition: base64_execution
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.defense_evasion
+ - attack.t1027
\ No newline at end of file
diff --git a/rules/linux/lnx_binary_padding.yml b/rules/linux/lnx_binary_padding.yml
new file mode 100644
index 00000000000..cba357572f6
--- /dev/null
+++ b/rules/linux/lnx_binary_padding.yml
@@ -0,0 +1,35 @@
+title: 'Binary Padding'
+id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
+status: experimental
+description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
+ # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/13
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains|all:
+ - 'truncate'
+ - '-s'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains|all:
+ - 'dd'
+ - 'if='
+ filter:
+ keywords|contains: 'of='
+ condition: selection1 or (selection2 and not filter)
+falsepositives:
+ - 'Legitimate script work'
+level: high
+tags:
+ - attack.defense_evasion
+ - attack.t1027.001
diff --git a/rules/linux/lnx_change_file_time_attr.yml b/rules/linux/lnx_change_file_time_attr.yml
new file mode 100644
index 00000000000..22763a8cff6
--- /dev/null
+++ b/rules/linux/lnx_change_file_time_attr.yml
@@ -0,0 +1,33 @@
+title: 'File Time Attribute Change'
+id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains: 'touch'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains:
+ - '-t'
+ - '-acmr'
+ - '-d'
+ - '-r'
+ condition: selection1 and selection2
+falsepositives:
+ - 'Unknown'
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.006
diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml
new file mode 100644
index 00000000000..39899711a1f
--- /dev/null
+++ b/rules/linux/lnx_clear_logs.yml
@@ -0,0 +1,26 @@
+title: Clear Linux Logs
+id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
+status: stable
+description: Detects clear logs
+author: Ömer Günal, oscd.community
+date: 2020/10/07
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/rm' # covers /rmdir as well
+ - '/shred'
+ CommandLine|contains:
+ - '/var/log'
+ - '/var/spool/mail'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.002
diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml
new file mode 100644
index 00000000000..af52c776569
--- /dev/null
+++ b/rules/linux/lnx_file_and_directory_discovery.yml
@@ -0,0 +1,29 @@
+title: File and Directory Discovery
+id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
+status: experimental
+description: Detects usage of system utilities to discover files and directories
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ file_with_asterisk:
+ Image|endswith: '/file'
+ CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
+ recursive_ls:
+ Image|endswith: '/ls'
+ CommandLine|contains: '-R'
+ find_execution:
+ Image|endswith: '/find'
+ tree_execution:
+ Image|endswith: '/tree'
+ condition: 1 of them
+falsepositives:
+ - Legitimate activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1083
\ No newline at end of file
diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml
index 0284764473d..2a0509c6fdf 100644
--- a/rules/linux/lnx_file_copy.yml
+++ b/rules/linux/lnx_file_copy.yml
@@ -11,18 +11,20 @@ logsource:
detection:
keywords:
- Scp|contains:
- - 'scp * *@*:*'
- - 'scp *@*:* *'
+ - 'scp'
- Rsync|contains:
- - 'rsync -r *@*:* *'
- - 'rsync -r * *@*:*'
+ - 'rsync -r'
- Sftp|contains:
- - 'sftp *@*:* *'
- condition: keywords
+ - 'sftp'
+ filter:
+ message|contains|all:
+ - '@'
+ - ':'
+ condition: keywords and filter
falsepositives:
- Legitimate administration activities
level: low
tags:
- attack.command_and_control
- attack.lateral_movement
- - attack.t1105
\ No newline at end of file
+ - attack.t1105
diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml
new file mode 100644
index 00000000000..3919757308a
--- /dev/null
+++ b/rules/linux/lnx_file_deletion.yml
@@ -0,0 +1,23 @@
+title: File Deletion
+id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
+status: stable
+description: Detects file deletion commands
+author: Ömer Günal, oscd.community
+date: 2020/10/07
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/rm' # covers /rmdir as well
+ - '/shred'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
diff --git a/rules/linux/lnx_find_cred_in_files.yml b/rules/linux/lnx_find_cred_in_files.yml
new file mode 100644
index 00000000000..71b908273b4
--- /dev/null
+++ b/rules/linux/lnx_find_cred_in_files.yml
@@ -0,0 +1,29 @@
+title: 'Credentials In Files'
+id: df3fcaea-2715-4214-99c5-0056ea59eb35
+status: experimental
+description: 'Detecting attempts to extract passwords with grep'
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains: 'grep'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains: 'password'
+ condition: selection1 and selection2
+falsepositives:
+ - 'Unknown'
+level: high
+tags:
+ - attack.credential_access
+ - attack.t1552.001
diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml
new file mode 100644
index 00000000000..b1a9f61ee7e
--- /dev/null
+++ b/rules/linux/lnx_install_root_certificate.yml
@@ -0,0 +1,22 @@
+title: Install Root Certificate
+id: 78a80655-a51e-4669-bc6b-e9d206a462ee
+description: Detects installed new certificate
+author: Ömer Günal, oscd.community
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+date: 2020/10/05
+tags:
+ - attack.defense_evasion
+ - attack.t1553.004
+level: low
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/update-ca-certificates'
+ - '/update-ca-trust'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/lnx_ldso_preload_injection.yml
new file mode 100644
index 00000000000..be1b937b70a
--- /dev/null
+++ b/rules/linux/lnx_ldso_preload_injection.yml
@@ -0,0 +1,17 @@
+title: Code Injection by ld.so Preload
+id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
+status: experimental
+description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
+author: Christian Burkard
+date: 2021/05/05
+references:
+ - https://man7.org/linux/man-pages/man8/ld.so.8.html
+logsource:
+ product: linux
+detection:
+ keyword:
+ - '/etc/ld.so.preload'
+ condition: keyword
+falsepositives:
+ - rare temporary workaround for library misconfiguration
+level: high
diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml
new file mode 100644
index 00000000000..2e31f466d89
--- /dev/null
+++ b/rules/linux/lnx_local_account.yml
@@ -0,0 +1,39 @@
+title: Local System Accounts Discovery
+id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
+status: experimental
+description: Detects enumeration of local systeam accounts
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection_1:
+ Image|endswith:
+ - '/lastlog'
+ selection_2:
+ CommandLine|contains:
+ - "'x:0:'"
+ selection_3:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/passwd'
+ - '/etc/sudoers'
+ selection_4:
+ Image|endswith:
+ - '/id'
+ selection_5:
+ Image|endswith:
+ - '/lsof'
+ CommandLine|contains:
+ - '-u'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1087.001
diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml
new file mode 100644
index 00000000000..8df8a815711
--- /dev/null
+++ b/rules/linux/lnx_local_groups.yml
@@ -0,0 +1,27 @@
+title: Local Groups Discovery
+id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
+status: experimental
+description: Detects enumeration of local system groups
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/10/11
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection_1:
+ Image|endswith:
+ - '/groups'
+ selection_2:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/group'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1069.001
diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml
new file mode 100644
index 00000000000..831c1dac92f
--- /dev/null
+++ b/rules/linux/lnx_network_service_scanning.yml
@@ -0,0 +1,47 @@
+action: global
+title: Linux Network Service Scanning
+id: 3e102cd9-a70d-4a7a-9508-403963092f31
+status: experimental
+description: Detects enumeration of local or remote network services.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1046
+---
+logsource:
+ category: process_creation
+ product: linux
+ definition: 'Detect netcat and filter our listening mode'
+detection:
+ netcat:
+ Image|endswith:
+ - '/nc'
+ - '/netcat'
+ network_scanning_tools:
+ Image|endswith:
+ - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
+ - '/nmap'
+ netcat_listen_flag:
+ CommandLine|contains: 'l'
+ condition: (netcat and not netcat_listen_flag) or network_scanning_tools
+---
+logsource:
+ product: linux
+ service: auditd
+ definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183'
+detection:
+ selection:
+ type: 'SYSCALL'
+ exe|endswith:
+ - '/telnet'
+ - '/nmap'
+ - '/netcat'
+ - '/nc'
+ key: 'network_connect_4'
+ condition: selection
diff --git a/rules/linux/lnx_password_policy_discovery.yml b/rules/linux/lnx_password_policy_discovery.yml
new file mode 100644
index 00000000000..eccbff04f1c
--- /dev/null
+++ b/rules/linux/lnx_password_policy_discovery.yml
@@ -0,0 +1,25 @@
+title: Password Policy Discovery
+id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
+status: stable
+description: Detects password policy discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md
+logsource:
+ service: auditd
+detection:
+ selection:
+ type: 'PATH'
+ name:
+ - '/etc/pam.d/common-password'
+ - '/etc/security/pwquality.conf'
+ - '/etc/pam.d/system-auth'
+ - '/etc/login.defs'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1201
diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml
new file mode 100644
index 00000000000..1785e7ef8e7
--- /dev/null
+++ b/rules/linux/lnx_process_discovery.yml
@@ -0,0 +1,23 @@
+title: Process Discovery
+id: 4e2f5868-08d4-413d-899f-dc2f1508627b
+status: stable
+description: Detects process discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ - Image|endswith:
+ - '/ps'
+ - '/top'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1057
diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml
new file mode 100644
index 00000000000..218053e15c9
--- /dev/null
+++ b/rules/linux/lnx_remote_system_discovery.yml
@@ -0,0 +1,45 @@
+title: Linux Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection_1:
+ Image|endswith: '/arp'
+ CommandLine|contains: '-a'
+ selection_2:
+ Image|endswith: '/ping'
+ CommandLine|contains:
+ - ' 10.' #10.0.0.0/8
+ - ' 192.168.' #192.168.0.0/16
+ - ' 172.16.' #172.16.0.0/12
+ - ' 172.17.'
+ - ' 172.18.'
+ - ' 172.19.'
+ - ' 172.20.'
+ - ' 172.21.'
+ - ' 172.22.'
+ - ' 172.23.'
+ - ' 172.24.'
+ - ' 172.25.'
+ - ' 172.26.'
+ - ' 172.27.'
+ - ' 172.28.'
+ - ' 172.29.'
+ - ' 172.30.'
+ - ' 172.31.'
+ - ' 127.' #127.0.0.0/8
+ - ' 169.254.' #169.254.0.0/16
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1018
diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml
new file mode 100644
index 00000000000..cd2540f967f
--- /dev/null
+++ b/rules/linux/lnx_schedule_task_job_cron.yml
@@ -0,0 +1,26 @@
+title: Scheduled Cron Task/Job
+id: 6b14bac8-3e3a-4324-8109-42f0546a347f
+status: experimental
+description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection:
+ Image|endswith:
+ - 'crontab'
+ CommandLine|contains:
+ - '/tmp/'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.execution
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1053.003
diff --git a/rules/linux/lnx_security_software_discovery.yml b/rules/linux/lnx_security_software_discovery.yml
new file mode 100644
index 00000000000..37a7f7871c5
--- /dev/null
+++ b/rules/linux/lnx_security_software_discovery.yml
@@ -0,0 +1,31 @@
+title: Security Software Discovery
+id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
+status: experimental
+description: Detects usage of system utilities (only grep for now) to discover security software discovery
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ grep_execution:
+ Image|endswith: '/grep'
+ security_services_and_processes:
+ CommandLine|contains:
+ - 'nessusd' # nessus vulnerability scanner
+ - 'td-agent' # fluentd log shipper
+ - 'packetbeat' # elastic network logger/shipper
+ - 'filebeat' # elastic log file shipper
+ - 'auditbeat' # elastic auditing agent/log shipper
+ - 'osqueryd' # facebook osquery
+ - 'cbagentd' # carbon black
+ - 'falcond' # crowdstrike falcon
+ condition: grep_execution and security_services_and_processes
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1518.001
\ No newline at end of file
diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml
index 206c9a49059..8d1f16177b2 100644
--- a/rules/linux/lnx_security_tools_disabling.yml
+++ b/rules/linux/lnx_security_tools_disabling.yml
@@ -1,34 +1,97 @@
+action: global
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: experimental
description: Detects disabling security tools
-author: Ömer Günal
+author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020/06/17
references:
- - https://attack.mitre.org/techniques/T1089/
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1562.004
+ - attack.t1089
+---
logsource:
+ category: process_creation
product: linux
detection:
+ iptables_1:
+ Image|endswith: '/service'
+ CommandLine|contains|all:
+ - 'iptables'
+ - 'stop'
+ iptables_2:
+ Image|endswith: '/service'
+ CommandLine|contains|all:
+ - 'ip6tables'
+ - 'stop'
+ iptables_3:
+ Image|endswith: '/chkconfig'
+ CommandLine|contains|all:
+ - 'iptables'
+ - 'stop'
+ iptables_4:
+ Image|endswith: '/chkconfig'
+ CommandLine|contains|all:
+ - 'ip6tables'
+ - 'stop'
+ firewall_1:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'firewalld'
+ - 'stop'
+ firewall_2:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'firewalld'
+ - 'disable'
+ carbonblack_1:
+ Image|endswith: '/service'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'stop'
+ carbonblack_2:
+ Image|endswith: '/chkconfig'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'off'
+ carbonblack_3:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'stop'
+ carbonblack_4:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'disable'
+ selinux:
+ Image|endswith: '/setenforce'
+ CommandLine|contains: '0'
+ crowdstrike_1:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'stop'
+ - 'falcon-sensor'
+ crowdstrike_2:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'disable'
+ - 'falcon-sensor'
+ condition: 1 of them
+---
+logsource:
+ product: linux
+ service: syslog
+detection:
keywords:
- - Command|contains:
- - 'service iptables stop'
- - 'chkconfig off iptables'
- - 'service ip6tables stop'
- - 'chkconfig off ip6tables'
- - CarbonBlack|contains:
- - 'service cbdaemon stop'
- - 'chkconfig off cbdaemon'
- - 'systemctl stop cbdaemon'
- - 'systemctl disable cbdaemon'
- - SELinux:
- - 'setenforce 0'
- - Crowdstrike|contains:
- - 'systemctl stop falcon-sensor.service'
- - 'systemctl disable falcon-sensor.service'
+ - '*stopping iptables*'
+ - '*stopping ip6tables*'
+ - '*stopping firewalld*'
+ - '*stopping cbdaemon*'
+ - '*stopping falcon-sensor*'
condition: keywords
-falsepositives:
- - Legitimate administration activities
-level: medium
-tags:
- - attack.defense_evasion
\ No newline at end of file
diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml
index 59a534cd328..ba7fc1bb78a 100644
--- a/rules/linux/lnx_shellshock.yml
+++ b/rules/linux/lnx_shellshock.yml
@@ -4,14 +4,18 @@ status: experimental
description: Detects shellshock expressions in log files
author: Florian Roth
date: 2017/03/14
+modified: 2021/04/28
references:
- - http://rubular.com/r/zxBfjWfFYs
+ - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
logsource:
product: linux
detection:
- expression:
- - /\(\)\s*\t*\{.*;\s*\}\s*;/
- condition: expression
+ keyword:
+ - '(){:;};'
+ - '() {:;};'
+ - '() { :;};'
+ - '() { :; };'
+ condition: keyword
falsepositives:
- Unknown
level: high
diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml
new file mode 100644
index 00000000000..36b1a82dbd8
--- /dev/null
+++ b/rules/linux/lnx_split_file_into_pieces.yml
@@ -0,0 +1,26 @@
+title: 'Split A File Into Pieces'
+id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
+status: experimental
+description: 'Detection use of the command "split" to split files into parts and possible transfer.'
+ # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: 'SYSCALL'
+ comm: 'split'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+level: low
+tags:
+ - attack.exfiltration
+ - attack.t1030
diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml
index ff20897bba7..bbd9d785df6 100644
--- a/rules/linux/lnx_sudo_cve_2019_14287.yml
+++ b/rules/linux/lnx_sudo_cve_2019_14287.yml
@@ -30,4 +30,4 @@ detection:
USER:
- '#-*'
- '#*4294967295'
- condition: selection_user
\ No newline at end of file
+ condition: selection_user
diff --git a/rules/linux/lnx_susp_histfile_operations.yml b/rules/linux/lnx_susp_histfile_operations.yml
new file mode 100644
index 00000000000..453bad91626
--- /dev/null
+++ b/rules/linux/lnx_susp_histfile_operations.yml
@@ -0,0 +1,42 @@
+title: 'Suspicious History File Operations'
+id: eae8ce9f-bde9-47a6-8e79-f20d18419910
+status: experimental
+description: 'Detects commandline operations on shell history files'
+ # Rule detects presence of various shell history files in process commandline
+ # Normally user expected to view own history with dedicated 'history' command and not some other tools
+ # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: EXECVE
+ keywords|contains:
+ - '.bash_history'
+ - '.zsh_history'
+ - '.zhistory'
+ - '.history'
+ - '.sh_history'
+ - 'fish_history'
+ condition: selection
+fields:
+ - a0
+ - a1
+ - a2
+ - a3
+ - key
+falsepositives:
+ - 'Legitimate administrative activity'
+ - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+ - attack.credential_access
+ - attack.t1552.003
diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml
index 2fc43980ab3..128300cc2b1 100644
--- a/rules/linux/lnx_susp_named.yml
+++ b/rules/linux/lnx_susp_named.yml
@@ -20,4 +20,4 @@ falsepositives:
level: high
tags:
- attack.initial_access
- - attack.t1190
\ No newline at end of file
+ - attack.t1190
diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml
index b8499238754..c5ea7448e87 100644
--- a/rules/linux/lnx_susp_ssh.yml
+++ b/rules/linux/lnx_susp_ssh.yml
@@ -30,4 +30,4 @@ falsepositives:
level: medium
tags:
- attack.initial_access
- - attack.t1190
\ No newline at end of file
+ - attack.t1190
diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/lnx_symlink_etc_passwd.yml
new file mode 100644
index 00000000000..9d20a189656
--- /dev/null
+++ b/rules/linux/lnx_symlink_etc_passwd.yml
@@ -0,0 +1,18 @@
+title: Symlink Etc Passwd
+id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
+status: experimental
+description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
+author: Florian Roth
+date: 2019/04/05
+references:
+ - https://www.qualys.com/2021/05/04/21nails/21nails.txt
+logsource:
+ product: linux
+detection:
+ keywords:
+ - 'ln -s -f /etc/passwd'
+ - 'ln -s /etc/passwd'
+ condition: keywords
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml
new file mode 100644
index 00000000000..892f10d7665
--- /dev/null
+++ b/rules/linux/lnx_system_info_discovery.yml
@@ -0,0 +1,49 @@
+action: global
+title: System Information Discovery
+id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
+status: stable
+description: Detects system information discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/08
+modified: 2020/05/30
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1082
+---
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/uname'
+ - '/hostname'
+ - '/uptime'
+ - '/lspci'
+ - '/dmidecode'
+ - '/lscpu'
+ - '/lsmod'
+ condition: selection
+---
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: 'PATH'
+ name:
+ - '/sys/class/dmi/id/bios_version'
+ - '/sys/class/dmi/id/product_name'
+ - '/sys/class/dmi/id/chassis_vendor'
+ - '/proc/scsi/scsi'
+ - '/proc/ide/hd0/model'
+ - '/proc/version'
+ - '/etc/*version'
+ - '/etc/*release'
+ - '/etc/issue'
+ condition: selection
diff --git a/rules/linux/lnx_system_network_connections_discovery.yml b/rules/linux/lnx_system_network_connections_discovery.yml
new file mode 100644
index 00000000000..5f9642370c7
--- /dev/null
+++ b/rules/linux/lnx_system_network_connections_discovery.yml
@@ -0,0 +1,26 @@
+title: System Network Connections Discovery
+id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
+status: experimental
+description: Detects usage of system utilities to discover system network connections
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection:
+ Image|endswith:
+ - '/who'
+ - '/w'
+ - '/last'
+ - '/lsof'
+ - '/netstat'
+ condition: selection
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1049
\ No newline at end of file
diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml
new file mode 100644
index 00000000000..fa5c6f74873
--- /dev/null
+++ b/rules/linux/lnx_system_network_discovery.yml
@@ -0,0 +1,32 @@
+title: System Network Discovery - Linux
+id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
+status: experimental
+description: Detects enumeration of local network configuration
+author: Ömer Günal and remotephone, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection1:
+ Image|endswith:
+ - '/firewall-cmd'
+ - '/ufw'
+ - '/iptables'
+ - '/netstat'
+ - '/ss'
+ - '/ip'
+ - '/ifconfig'
+ - '/systemd-resolve'
+ - '/route'
+ selection2:
+ CommandLine|contains: '/etc/resolv.conf'
+ condition: selection1 or selection2
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1016
diff --git a/rules/linux/lnx_system_shutdown_reboot.yml b/rules/linux/lnx_system_shutdown_reboot.yml
new file mode 100644
index 00000000000..88c476d4b40
--- /dev/null
+++ b/rules/linux/lnx_system_shutdown_reboot.yml
@@ -0,0 +1,40 @@
+title: 'System Shutdown/Reboot'
+id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
+status: experimental
+description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains:
+ - 'shutdown'
+ - 'reboot'
+ - 'halt'
+ - 'poweroff'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains:
+ - 'init'
+ - 'telinit'
+ selection3:
+ type: 'EXECVE'
+ keywords|contains:
+ - '0'
+ - '6'
+ condition: selection1 or (selection2 and selection3)
+falsepositives:
+ - 'Legitimate administrative activity'
+level: informational
+tags:
+ - attack.impact
+ - attack.t1529
diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos_applescript.yml
new file mode 100644
index 00000000000..38daf676a3c
--- /dev/null
+++ b/rules/linux/macos_applescript.yml
@@ -0,0 +1,24 @@
+title: MacOS Scripting Interpreter AppleScript
+id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
+status: experimental
+description: Detects execution of AppleScript of the macOS scripting language AppleScript.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/osascript'
+ CommandLine|contains|all:
+ - '-e'
+ condition: selection
+falsepositives:
+ - Application installers might contain scripts as part of the installation process.
+level: medium
+tags:
+ - attack.execution
+ - attack.t1059.002
diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos_base64_decode.yml
new file mode 100644
index 00000000000..4afeec596cd
--- /dev/null
+++ b/rules/linux/macos_base64_decode.yml
@@ -0,0 +1,22 @@
+title: Decode Base64 Encoded Text
+id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
+status: experimental
+description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ base64_execution:
+ Image: '/usr/bin/base64'
+ CommandLine|contains: '-d'
+ condition: base64_execution
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.defense_evasion
+ - attack.t1027
\ No newline at end of file
diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml
new file mode 100644
index 00000000000..843b2aa61e9
--- /dev/null
+++ b/rules/linux/macos_binary_padding.yml
@@ -0,0 +1,33 @@
+title: 'Binary Padding'
+id: 95361ce5-c891-4b0a-87ca-e24607884a96
+status: experimental
+description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image|endswith:
+ - '/truncate'
+ CommandLine|contains:
+ - '-s'
+ selection2:
+ Image|endswith:
+ - '/dd'
+ CommandLine|contains:
+ - 'if='
+ filter:
+ CommandLine|contains: 'of='
+ condition: selection1 or (selection2 and not filter)
+falsepositives:
+ - 'Legitimate script work'
+level: high
+tags:
+ - attack.defense_evasion
+ - attack.t1027.001
diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml
new file mode 100644
index 00000000000..f4a0ca2d792
--- /dev/null
+++ b/rules/linux/macos_change_file_time_attr.yml
@@ -0,0 +1,29 @@
+title: 'File Time Attribute Change'
+id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image|endswith: '/touch'
+ selection2:
+ CommandLine|contains:
+ - '-t'
+ - '-acmr'
+ - '-d'
+ - '-r'
+ condition: selection1 and selection2
+falsepositives:
+ - 'Unknown'
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.006
diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml
new file mode 100644
index 00000000000..33ce525a3ad
--- /dev/null
+++ b/rules/linux/macos_clear_system_logs.yml
@@ -0,0 +1,27 @@
+title: Indicator Removal on Host - Clear Mac System Logs
+id: acf61bd8-d814-4272-81f0-a7a269aa69aa
+status: experimental
+description: Detects deletion of local audit logs
+author: remotephone, oscd.community
+date: 2020/10/11
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ - Image|endswith: '/rm'
+ selection2:
+ CommandLine|contains: '/var/log'
+ selection3:
+ Commandline|contains|all:
+ - '/Users/'
+ - '/Library/Logs/'
+ condition: selection1 and (selection2 or selection3)
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.002
diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml
new file mode 100644
index 00000000000..42d1d493102
--- /dev/null
+++ b/rules/linux/macos_create_account.yml
@@ -0,0 +1,25 @@
+title: Creation Of A Local User Account
+id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
+status: experimental
+description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/dscl'
+ CommandLine|contains:
+ - 'create'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.t1136 # an old one
+ - attack.t1136.001
+ - attack.persistence
diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml
new file mode 100644
index 00000000000..56cf55fdf11
--- /dev/null
+++ b/rules/linux/macos_create_hidden_account.yml
@@ -0,0 +1,33 @@
+title: Hidden User Creation
+id: b22a5b36-2431-493a-8be1-0bae56c28ef3
+status: experimental
+description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/10
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ dscl_create:
+ Image|endswith: '/dscl'
+ CommandLine|contains: 'create'
+ id_below_500:
+ CommandLine|contains: UniqueID
+ CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
+ ishidden_option_declaration:
+ CommandLine|contains: 'IsHidden'
+ ishidden_option_confirmation:
+ CommandLine|contains:
+ - 'true'
+ - 'yes'
+ - '1'
+ condition: dscl_create and id_below_500 or
+ dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1564.002
\ No newline at end of file
diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos_creds_from_keychain.yml
new file mode 100644
index 00000000000..e8d3d1302ac
--- /dev/null
+++ b/rules/linux/macos_creds_from_keychain.yml
@@ -0,0 +1,29 @@
+title: Credentials from Password Stores - Keychain
+id: b120b587-a4c2-4b94-875d-99c9807d6955
+status: experimental
+description: Detects passwords dumps from Keychain
+author: Tim Ismilyaev, oscd.community, Florian Roth
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
+ - https://gist.github.com/Capybara/6228955
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection1:
+ Image: '/usr/bin/security'
+ CommandLine|contains:
+ - 'find-certificate'
+ - ' export '
+ selection2:
+ CommandLine|contains:
+ - ' dump-keychain '
+ - ' login-keychain '
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.credential_access
+ - attack.t1555.001
diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml
new file mode 100644
index 00000000000..0f843c7897d
--- /dev/null
+++ b/rules/linux/macos_disable_security_tools.yml
@@ -0,0 +1,42 @@
+title: Disable Security Tools
+id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
+status: experimental
+description: Detects disabling security tools
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ launchctl_unload:
+ Image: '/bin/launchctl'
+ CommandLine|contains: 'unload'
+ security_plists:
+ CommandLine|contains:
+ - 'com.objective-see.lulu.plist' # Objective-See firewall management utility
+ - 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
+ - 'com.google.santad.plist' # google santa
+ - 'com.carbonblack.defense.daemon.plist' # carbon black
+ - 'com.carbonblack.daemon.plist' # carbon black
+ - 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
+ - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
+ - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
+ - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
+ - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
+ - 'osquery' # facebook osquery
+ - 'filebeat' # elastic log file shipper
+ - 'auditbeat' # elastic auditing agent/log shipper
+ - 'packetbeat' # elastic network logger/shipper
+ - 'td-agent' # fluentd log shipper
+ disable_gatekeeper:
+ Image: '/usr/sbin/spctl'
+ CommandLine|contains: 'disable'
+ condition: (launchctl_unload and security_plists) or disable_gatekeeper
+falsepositives:
+ - Legitimate activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
\ No newline at end of file
diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos_emond_launch_daemon.yml
new file mode 100644
index 00000000000..1c904a61bb0
--- /dev/null
+++ b/rules/linux/macos_emond_launch_daemon.yml
@@ -0,0 +1,26 @@
+title: MacOS Emond Launch Daemon
+id: 23c43900-e732-45a4-8354-63e4a6c187ce
+status: experimental
+description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/23
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
+ - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+logsource:
+ category: file_event
+ product: macos
+detection:
+ selection_1:
+ TargetFilename|contains: '/etc/emond.d/rules/'
+ TargetFilename|endswith: '.plist'
+ selection_2:
+ TargetFilename|contains: '/private/var/db/emondClients/'
+ condition: selection_1 or selection_2
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1546.014
diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml
new file mode 100644
index 00000000000..025babc38ee
--- /dev/null
+++ b/rules/linux/macos_file_and_directory_discovery.yml
@@ -0,0 +1,31 @@
+title: File and Directory Discovery
+id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
+status: experimental
+description: Detects usage of system utilities to discover files and directories
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ file_with_asterisk:
+ Image: '/usr/bin/file'
+ CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
+ recursive_ls:
+ Image: '/bin/ls'
+ CommandLine|contains: '-R'
+ find_execution:
+ Image: '/usr/bin/find'
+ mdfind_execution:
+ Image: '/usr/bin/mdfind'
+ tree_execution|endswith:
+ Image: '/tree'
+ condition: 1 of them
+falsepositives:
+ - Legitimate activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1083
\ No newline at end of file
diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml
new file mode 100644
index 00000000000..a0b2a0cbdca
--- /dev/null
+++ b/rules/linux/macos_find_cred_in_files.yml
@@ -0,0 +1,28 @@
+title: 'Credentials In Files'
+id: 53b1b378-9b06-4992-b972-dde6e423d2b4
+status: experimental
+description: 'Detecting attempts to extract passwords with grep and laZagne'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image|endswith:
+ - '/grep'
+ CommandLine|contains:
+ - 'password'
+ selection2:
+ CommandLine|contains: 'laZagne'
+ condition: selection1 or selection2
+falsepositives:
+ - 'Unknown'
+level: high
+tags:
+ - attack.credential_access
+ - attack.t1552.001
diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml
new file mode 100644
index 00000000000..22b42e1c41a
--- /dev/null
+++ b/rules/linux/macos_gui_input_capture.yml
@@ -0,0 +1,39 @@
+title: GUI Input Capture - macOS
+id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
+status: experimental
+description: Detects attempts to use system dialog prompts to capture user credentials
+author: remotephone, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
+ - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image:
+ - '/usr/sbin/osascript'
+ selection2:
+ Commandline|contains|all:
+ - '-e'
+ - 'display'
+ - 'dialog'
+ - 'answer'
+ selection3:
+ Commandline|contains:
+ - 'admin'
+ - 'administrator'
+ - 'authenticate'
+ - 'authentication'
+ - 'credentials'
+ - 'pass'
+ - 'password'
+ - 'unlock'
+ condition: all of them
+falsepositives:
+ - Legitimate administration tools and activities
+level: low
+tags:
+ - attack.credential_access
+ - attack.t1056.002
diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml
new file mode 100644
index 00000000000..638fb1ba9e4
--- /dev/null
+++ b/rules/linux/macos_local_account.yml
@@ -0,0 +1,48 @@
+title: Local System Accounts Discovery
+id: ddf36b67-e872-4507-ab2e-46bda21b842c
+status: experimental
+description: Detects enumeration of local systeam accounts on MacOS
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/dscl'
+ CommandLine|contains|all:
+ - 'list'
+ - '/users'
+ selection_2:
+ Image|endswith:
+ - '/dscacheutil'
+ CommandLine|contains|all:
+ - '-q'
+ - 'user'
+ selection_3:
+ CommandLine|contains:
+ - "'x:0:'"
+ selection_4:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/passwd'
+ - '/etc/sudoers'
+ selection_5:
+ Image|endswith:
+ - '/id'
+ selection_6:
+ Image|endswith:
+ - '/lsof'
+ CommandLine|contains:
+ - '-u'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1087.001
diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml
new file mode 100644
index 00000000000..7cffce09d00
--- /dev/null
+++ b/rules/linux/macos_local_groups.yml
@@ -0,0 +1,36 @@
+title: Local Groups Discovery
+id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
+status: experimental
+description: Detects enumeration of local system groups
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/10/11
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/dscacheutil'
+ CommandLine|contains|all:
+ - '-q'
+ - 'group'
+ selection_2:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/group'
+ selection_3:
+ Image|endswith:
+ - '/dscl'
+ CommandLine|contains|all:
+ - '-list'
+ - '/groups'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1069.001
diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml
new file mode 100644
index 00000000000..8faa5b72103
--- /dev/null
+++ b/rules/linux/macos_network_service_scanning.yml
@@ -0,0 +1,29 @@
+title: MacOS Network Service Scanning
+id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
+status: experimental
+description: Detects enumeration of local or remote network services.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/nc'
+ - '/netcat'
+ selection_2:
+ Image|endswith:
+ - '/nmap'
+ - '/telnet'
+ filter:
+ CommandLine|contains: 'l'
+ condition: (selection_1 and not filter) or selection_2
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1046
diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml
new file mode 100644
index 00000000000..ef95ea36d63
--- /dev/null
+++ b/rules/linux/macos_network_sniffing.yml
@@ -0,0 +1,24 @@
+title: Network Sniffing
+id: adc9bcc4-c39c-4f6b-a711-1884017bf043
+status: experimental
+description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/14
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/tcpdump'
+ - '/tshark'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.credential_access
+ - attack.t1040
diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
new file mode 100644
index 00000000000..fd5867314a5
--- /dev/null
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -0,0 +1,48 @@
+title: Macos Remote System Discovery
+id: 10227522-8429-47e6-a301-f2b2d014e7ad
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/arp'
+ CommandLine|contains:
+ - '-a'
+ selection_2:
+ Image|endswith:
+ - '/ping'
+ CommandLine|contains:
+ - ' 10.' #10.0.0.0/8
+ - ' 192.168.' #192.168.0.0/16
+ - ' 172.16.' #172.16.0.0/12
+ - ' 172.17.'
+ - ' 172.18.'
+ - ' 172.19.'
+ - ' 172.20.'
+ - ' 172.21.'
+ - ' 172.22.'
+ - ' 172.23.'
+ - ' 172.24.'
+ - ' 172.25.'
+ - ' 172.26.'
+ - ' 172.27.'
+ - ' 172.28.'
+ - ' 172.29.'
+ - ' 172.30.'
+ - ' 172.31.'
+ - ' 127.' #127.0.0.0/8
+ - ' 169.254.' #169.254.0.0/16
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1018
diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos_schedule_task_job_cron.yml
new file mode 100644
index 00000000000..c757d014fb0
--- /dev/null
+++ b/rules/linux/macos_schedule_task_job_cron.yml
@@ -0,0 +1,26 @@
+title: Scheduled Cron Task/Job
+id: 7c3b43d8-d794-47d2-800a-d277715aa460
+status: experimental
+description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/crontab'
+ CommandLine|contains:
+ - '/tmp/'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.execution
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1053.003
diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml
new file mode 100644
index 00000000000..18fb1bf3271
--- /dev/null
+++ b/rules/linux/macos_screencapture.yml
@@ -0,0 +1,22 @@
+title: Screen Capture - macOS
+id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
+status: experimental
+description: Detects attempts to use screencapture to collect macOS screenshots
+author: remotephone, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
+ - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ Image: '/usr/sbin/screencapture'
+ condition: selection
+falsepositives:
+ - Legitimate user activity taking screenshots
+level: low
+tags:
+ - attack.collection
+ - attack.t1113
diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml
new file mode 100644
index 00000000000..ae896a953ad
--- /dev/null
+++ b/rules/linux/macos_security_software_discovery.yml
@@ -0,0 +1,39 @@
+title: Security Software Discovery
+id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
+status: experimental
+description: Detects usage of system utilities (only grep for now) to discover security software discovery
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ grep_execution:
+ Image: '/usr/bin/grep'
+ security_services_and_processes:
+ CommandLine|contains:
+ - 'nessusd' # nessus vulnerability scanner
+ - 'santad' # google santa
+ - 'CbDefense' # carbon black
+ - 'falcond' # crowdstrike falcon
+ - 'td-agent' # fluentd log shipper
+ - 'packetbeat' # elastic network logger/shipper
+ - 'filebeat' # elastic log file shipper
+ - 'auditbeat' # elastic auditing agent/log shipper
+ - 'osqueryd' # facebook osquery
+ - 'BlockBlock' # Objective-See persistence locations watcher/blocker
+ - 'LuLu' # Objective-See firewall management utility
+ little_snitch_process: # Objective Development Software firewall management utility
+ CommandLine|contains|all:
+ - 'Little'
+ - 'Snitch'
+ condition: grep_execution and security_services_and_processes or
+ grep_execution and little_snitch_process
+falsepositives:
+ - Legitimate activities
+level: medium
+tags:
+ - attack.discovery
+ - attack.t1518.001
\ No newline at end of file
diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml
new file mode 100644
index 00000000000..f65d96dee77
--- /dev/null
+++ b/rules/linux/macos_split_file_into_pieces.yml
@@ -0,0 +1,23 @@
+title: 'Split A File Into Pieces'
+id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
+status: experimental
+description: 'Detection use of the command "split" to split files into parts and possible transfer.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see link
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ Image|endswith: '/split'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+level: low
+tags:
+ - attack.exfiltration
+ - attack.t1030
diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml
new file mode 100644
index 00000000000..89102e3ff44
--- /dev/null
+++ b/rules/linux/macos_startup_items.yml
@@ -0,0 +1,24 @@
+title: Startup Items
+id: dfe8b941-4e54-4242-b674-6b613d521962
+status: experimental
+description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/14
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
+logsource:
+ category: file_event
+ product: macos
+detection:
+ selection_1:
+ TargetFilename|contains: '/Library/StartupItems/'
+ selection_2:
+ TargetFilename|endswith: '.plist'
+ condition: selection_1 and selection_2
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1037.005
diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos_susp_histfile_operations.yml
new file mode 100644
index 00000000000..b643bfbb3e5
--- /dev/null
+++ b/rules/linux/macos_susp_histfile_operations.yml
@@ -0,0 +1,33 @@
+title: 'Suspicious History File Operations'
+id: 508a9374-ad52-4789-b568-fc358def2c65
+status: experimental
+description: 'Detects commandline operations on shell history files'
+ # Rule detects presence of various shell history files in process commandline
+ # Normally user expected to view own history with dedicated 'history' command and not some other tools
+ # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ CommandLine|contains:
+ - '.bash_history'
+ - '.zsh_history'
+ - '.zhistory'
+ - '.history'
+ - '.sh_history'
+ - 'fish_history'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+ - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+ - attack.credential_access
+ - attack.t1552.003
diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml
new file mode 100644
index 00000000000..1a3fb7d41c3
--- /dev/null
+++ b/rules/linux/macos_system_network_connections_discovery.yml
@@ -0,0 +1,26 @@
+title: System Network Connections Discovery
+id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
+status: experimental
+description: Detects usage of system utilities to discover system network connections
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image:
+ - '/usr/bin/who'
+ - '/usr/bin/w'
+ - '/usr/bin/last'
+ - '/usr/sbin/lsof'
+ - '/usr/sbin/netstat'
+ condition: selection
+falsepositives:
+ - Legitimate activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1049
\ No newline at end of file
diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml
new file mode 100644
index 00000000000..40b2f33d545
--- /dev/null
+++ b/rules/linux/macos_system_network_discovery.yml
@@ -0,0 +1,32 @@
+title: System Network Discovery - macOS
+id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
+status: experimental
+description: Detects enumeration of local network configuration
+author: remotephone, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image:
+ - '/usr/sbin/netstat'
+ - '/sbin/ifconfig'
+ - '/usr/sbin/ipconfig'
+ - '/usr/libexec/ApplicationFirewall/socketfilterfw'
+ - '/usr/sbin/networksetup'
+ - '/usr/sbin/arp'
+ selection2:
+ Image: '/usr/bin/defaults'
+ Commandline|contains|all:
+ - 'read'
+ - '/Library/Preferences/com.apple.alf'
+ condition: selection1 or selection2
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1016
diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml
new file mode 100644
index 00000000000..fe4d4b6456f
--- /dev/null
+++ b/rules/linux/macos_system_shutdown_reboot.yml
@@ -0,0 +1,26 @@
+title: 'System Shutdown/Reboot'
+id: 40b1fbe2-18ea-4ee7-be47-0294285811de
+status: experimental
+description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/shutdown'
+ - '/reboot'
+ - '/halt'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+level: informational
+tags:
+ - attack.impact
+ - attack.t1529
diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos_xattr_gatekeeper_bypass.yml
new file mode 100644
index 00000000000..8c4ac76c2db
--- /dev/null
+++ b/rules/linux/macos_xattr_gatekeeper_bypass.yml
@@ -0,0 +1,24 @@
+title: Gatekeeper Bypass via Xattr
+id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
+status: experimental
+description: Detects macOS Gatekeeper bypass via xattr utility
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith: '/xattr'
+ CommandLine|contains|all:
+ - '-r'
+ - 'com.apple.quarantine'
+ condition: selection
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.defense_evasion
+ - attack.t1553.001
\ No newline at end of file
diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index 666f7c72bd1..3775bc79551 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -4,20 +4,21 @@ status: experimental
description: Detects suspicious DNS queries known from Cobalt Strike beacons
author: Florian Roth
date: 2018/05/10
-modified: 2020/08/27
+modified: 2021/03/24
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+ - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
logsource:
category: dns
detection:
selection:
- query:
- - 'aaa.stage.*'
- - 'post.1*'
+ query|startswith:
+ - 'aaa.stage.'
+ - 'post.1'
condition: selection
falsepositives:
- Unknown
-level: high
+level: critical
tags:
- attack.command_and_control
- attack.t1071 # an old one
diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml
index 8af84a9463a..6031ac58709 100644
--- a/rules/network/net_susp_dns_b64_queries.yml
+++ b/rules/network/net_susp_dns_b64_queries.yml
@@ -11,8 +11,8 @@ logsource:
category: dns
detection:
selection:
- query:
- - '*==.*'
+ query|contains:
+ - '==.'
condition: selection
falsepositives:
- Unknown
@@ -23,4 +23,4 @@ tags:
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- - attack.t1071.004
\ No newline at end of file
+ - attack.t1071.004
diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml
index 7632d31f31f..4e97c3493a9 100644
--- a/rules/network/net_susp_dns_txt_exec_strings.yml
+++ b/rules/network/net_susp_dns_txt_exec_strings.yml
@@ -13,10 +13,10 @@ logsource:
detection:
selection:
record_type: 'TXT'
- answer:
- - '*IEX*'
- - '*Invoke-Expression*'
- - '*cmd.exe*'
+ answer|contains:
+ - 'IEX'
+ - 'Invoke-Expression'
+ - 'cmd.exe'
condition: selection
falsepositives:
- Unknown
@@ -24,4 +24,4 @@ level: high
tags:
- attack.command_and_control
- attack.t1071 # an old one
- - attack.t1071.004
\ No newline at end of file
+ - attack.t1071.004
diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
new file mode 100644
index 00000000000..dfa15acbaa9
--- /dev/null
+++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
@@ -0,0 +1,23 @@
+title: First Time Seen Remote Named Pipe - Zeek
+id: bae2865c-5565-470d-b505-9496c87d0c30
+description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
+author: OTR (Open Threat Research)
+references:
+ - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+ - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
+ - https://twitter.com/_dirkjan/status/1309214379003588608
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+date: 2018/11/28
+logsource:
+ product: zeek
+ service: smb_files
+detection:
+ selection:
+ path: \\*\IPC$
+ name: spoolss
+ condition: selection
+falsepositives:
+ - 'Domain Controllers acting as printer servers too? :)'
+level: medium
\ No newline at end of file
diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
new file mode 100644
index 00000000000..6dad3ef8213
--- /dev/null
+++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
@@ -0,0 +1,24 @@
+title: Default Cobalt Strike Certificate
+id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
+description: Detects the presense of default Cobalt Strike certificate in the HTTPS traffic
+author: Bhabesh Raj
+date: 2021/06/23
+references:
+ - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
+tags:
+ - attack.command_and_control
+ - attack.s0154
+logsource:
+ product: zeek
+ service: x509
+detection:
+ selection:
+ certificate.serial: 8bb00ee
+ condition: selection
+fields:
+ - san.dns
+ - certificate.subject
+ - certificate.issuer
+falsepositives:
+ - none
+level: high
diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
new file mode 100644
index 00000000000..85306e0aeed
--- /dev/null
+++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
@@ -0,0 +1,68 @@
+title: Suspicious DNS Z Flag Bit Set
+id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
+description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
+date: 2021/05/04
+modified: 2021/05/24
+references:
+ - 'https://twitter.com/neu5ron/status/1346245602502443009'
+ - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
+ - 'https://tools.ietf.org/html/rfc2929#section-2.1'
+ - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
+author: '@neu5ron, SOC Prime Team, Corelight'
+tags:
+ - attack.t1094
+ - attack.t1043
+ - attack.command_and_control
+logsource:
+ product: zeek
+ service: dns
+detection:
+ z_flag_unset:
+ Z: '0'
+ most_probable_valid_domain:
+ query|contains: '.'
+ exclude_tlds:
+ query|endswith:
+ - '.arpa'
+ - '.local'
+ - '.ultradns.net'
+ - '.twtrdns.net'
+ - '.azuredns-prd.info'
+ - '.azure-dns.com'
+ - '.azuredns-ff.info'
+ - '.azuredns-ff.org'
+ - '.azuregov-dns.org'
+ exclude_query_types:
+ qtype_name:
+ - 'NS'
+ - 'ns'
+ exclude_responses:
+ answers|endswith: '\\x00'
+ exclude_netbios:
+ id.resp_p:
+ - '137'
+ - '138'
+ - '139'
+ condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios)
+falsepositives:
+ - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
+ - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
+level: medium
+fields:
+ - ts
+ - id.orig_h
+ - id.orig_p
+ - id.resp_h
+ - id.resp_p
+ - proto
+ - qtype_name
+ - qtype
+ - query
+ - answers
+ - rcode
+ - rcode_name
+ - trans_id
+ - qtype
+ - ttl
+ - AA
+ - uid
diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
index a625e2078b1..9fe20755556 100644
--- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
+++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
@@ -15,11 +15,11 @@ date: 2020/05/01
modified: 2020/09/02
detection:
selection_webdav:
- - c-useragent: '*WebDAV*'
- - c-uri: '*webdav*'
+ - c-useragent|contains: 'WebDAV'
+ - c-uri|contains: 'webdav'
selection_executable:
- - resp_mime_types: '*dosexec*'
- - c-uri: '*.exe'
+ - resp_mime_types|contains: 'dosexec'
+ - c-uri|endswith: '.exe'
condition: selection_webdav AND selection_executable
falsepositives:
- unknown
diff --git a/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml b/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml
new file mode 100644
index 00000000000..d1d19bb686a
--- /dev/null
+++ b/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml
@@ -0,0 +1,30 @@
+title: Potential Exfiltration of Compressed Files
+id: 0d47e3f6-357f-4534-928c-202631d065fa
+description: This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body
+date: 2020/04/05
+author: Greg Howell, OTR (Open Threat Research)
+tags:
+ - attack.exfiltration
+ - attack.t1560.001
+ - attack.t1005
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/17
+logsource:
+ product: zeek
+ service: http
+detection:
+ selection1:
+ uri|endswith:
+ - '.7z'
+ - '.zip'
+ - '.rar'
+ mime_types|endswith: 'compressed'
+ selection3:
+ filetype|endswith: 'compressed'
+ selection4:
+ http.bodyMagic|endswith: 'compressed'
+ http.method: PUT
+ condition: selection1 or selection3 or selection4
+falsepositives:
+ - Legitimate upload/download of archives
+level: medium
diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml
new file mode 100644
index 00000000000..c4eb70960b1
--- /dev/null
+++ b/rules/network/zeek/zeek_http_webdav_put_request.yml
@@ -0,0 +1,27 @@
+title: WebDav Put Request
+id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
+status: experimental
+description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.exfiltration
+ - attack.t1048.003
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/17
+logsource:
+ product: zeek
+ service: http
+detection:
+ selection:
+ user_agent|contains: 'WebDAV'
+ method: 'PUT'
+ filter:
+ id_resp_h:
+ - 192.168.0.0/16
+ - 172.16.0.0/12
+ - 10.0.0.0/8
+ condition: selection and not filter
+falsepositives:
+ - unknown
+level: low
\ No newline at end of file
diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
index 48a607a5582..44d812ee7b0 100644
--- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
+++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
@@ -16,8 +16,11 @@ logsource:
service: smb_files
detection:
selection:
- path: '\\*ADMIN$'
- name: '*SYSTEM32\\*.tmp'
+ path|contains|all:
+ - '\'
+ - 'ADMIN$'
+ name|contains: 'SYSTEM32\'
+ name|endswith: '.tmp'
condition: selection
falsepositives:
- 'unknown'
diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
index 2f29807f8ef..34da2addf87 100644
--- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
+++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
@@ -14,14 +14,18 @@ logsource:
service: smb_files
detection:
selection1:
- path: \\*\IPC$
- name:
- - '*-stdin'
- - '*-stdout'
- - '*-stderr'
+ path|contains|all:
+ - '\\'
+ - '\IPC$'
+ name|endswith:
+ - '-stdin'
+ - '-stdout'
+ - '-stderr'
selection2:
- name: \\*\IPC$
- path: 'PSEXESVC*'
+ name|contains|all:
+ - '\\'
+ - '\IPC$'
+ path|startswith: 'PSEXESVC'
condition: selection1 and not selection2
falsepositives:
- nothing observed so far
diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
index 7e5880e00e1..5604b7171e4 100644
--- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
+++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
@@ -12,19 +12,19 @@ logsource:
service: smb_files
detection:
selection:
- name:
- - '*.pst'
- - '*.ost'
- - '*.msg'
- - '*.nst'
- - '*.oab'
- - '*.edb'
- - '*.nsf'
- - '*.bak'
- - '*.dmp'
- - '*.kirbi'
- - '*\groups.xml'
- - '*.rdp'
+ name|endswith:
+ - '.pst'
+ - '.ost'
+ - '.msg'
+ - '.nst'
+ - '.oab'
+ - '.edb'
+ - '.nsf'
+ - '.bak'
+ - '.dmp'
+ - '.kirbi'
+ - '\groups.xml'
+ - '.rdp'
condition: selection
fields:
- ComputerName
diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml
index 75c4cc8014e..c5b85768e3d 100644
--- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml
+++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml
@@ -17,7 +17,7 @@ detection:
request_type: 'TGS'
cipher: 'rc4-hmac'
computer_acct:
- service: '$*'
+ service|startswith: '$'
condition: selection and not computer_acct
falsepositives:
- normal enterprise SPN requests activity
diff --git a/rules/proxy/proxy_baby_shark.yml b/rules/proxy/proxy_baby_shark.yml
new file mode 100644
index 00000000000..8fc52699ce2
--- /dev/null
+++ b/rules/proxy/proxy_baby_shark.yml
@@ -0,0 +1,20 @@
+title: BabyShark Agent Pattern
+id: 304810ed-8853-437f-9e36-c4975c3dfd7e
+status: experimental
+description: Detects Baby Shark C2 Framework communcation patterns
+author: Florian Roth
+date: 2021/06/09
+references:
+ - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
+logsource:
+ category: proxy
+detection:
+ selection:
+ c-uri|contains: 'momyshark?key='
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
+tags:
+ - attack.command_and_control
+ - attack.t1071.001
\ No newline at end of file
diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml
index 9a4e0ecd0d5..5fd9a8641b6 100644
--- a/rules/proxy/proxy_chafer_malware.yml
+++ b/rules/proxy/proxy_chafer_malware.yml
@@ -10,7 +10,7 @@ logsource:
category: proxy
detection:
selection:
- c-uri: '*/asp.asp?ui=*'
+ c-uri|contains: '/asp.asp?ui='
condition: selection
fields:
- ClientIP
@@ -22,4 +22,4 @@ level: critical
tags:
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml
index 9bbaedc7e33..e604589b866 100644
--- a/rules/proxy/proxy_cobalt_amazon.yml
+++ b/rules/proxy/proxy_cobalt_amazon.yml
@@ -16,7 +16,7 @@ detection:
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
- cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+ cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection2:
c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
cs-method: 'POST'
@@ -30,4 +30,4 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml
new file mode 100644
index 00000000000..419c0f120cf
--- /dev/null
+++ b/rules/proxy/proxy_cobalt_malformed_uas.yml
@@ -0,0 +1,25 @@
+title: CobaltStrike Malformed UAs in Malleable Profiles
+id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
+status: experimental
+description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
+author: Florian Roth
+date: 2021/05/06
+references:
+ - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
+logsource:
+ category: proxy
+detection:
+ selection:
+ c-useragent:
+ - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
+ - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
+ - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
+tags:
+ - attack.defense_evasion
+ - attack.command_and_control
+ - attack.t1071.001
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml
index e57a85e6aa8..d657963aa1d 100644
--- a/rules/proxy/proxy_cobalt_ocsp.yml
+++ b/rules/proxy/proxy_cobalt_ocsp.yml
@@ -16,7 +16,7 @@ logsource:
category: proxy
detection:
selection:
- c-uri: '*/oscp/*'
+ c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
condition: selection
diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml
index 08457c817df..30975e58ad0 100644
--- a/rules/proxy/proxy_cobalt_onedrive.yml
+++ b/rules/proxy/proxy_cobalt_onedrive.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects Malleable OneDrive Profile
author: Markus Neis
date: 2019/11/12
-modified: 2020/09/02
+modified: 2020/11/28
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
logsource:
@@ -12,10 +12,11 @@ logsource:
detection:
selection:
cs-method: 'GET'
- c-uri: '*?manifest=wac'
+ c-uri|endswith: '?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
- c-uri: 'http*://onedrive.live.com/*'
+ c-uri|startswith: 'http'
+ c-uri|contains: '://onedrive.live.com/'
condition: selection and not filter
falsepositives:
- Unknown
@@ -24,4 +25,4 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml
index 708beca242c..4a73e87b4dd 100644
--- a/rules/proxy/proxy_download_susp_dyndns.yml
+++ b/rules/proxy/proxy_download_susp_dyndns.yml
@@ -30,77 +30,77 @@ detection:
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
- r-dns:
- - '*.hopto.org'
- - '*.no-ip.org'
- - '*.no-ip.info'
- - '*.no-ip.biz'
- - '*.no-ip.com'
- - '*.noip.com'
- - '*.ddns.name'
- - '*.myftp.org'
- - '*.myftp.biz'
- - '*.serveblog.net'
- - '*.servebeer.com'
- - '*.servemp3.com'
- - '*.serveftp.com'
- - '*.servequake.com'
- - '*.servehalflife.com'
- - '*.servehttp.com'
- - '*.servegame.com'
- - '*.servepics.com'
- - '*.myvnc.com'
- - '*.ignorelist.com'
- - '*.jkub.com'
- - '*.dlinkddns.com'
- - '*.jumpingcrab.com'
- - '*.ddns.info'
- - '*.mooo.com'
- - '*.dns-dns.com'
- - '*.strangled.net'
- - '*.adultdns.net'
- - '*.craftx.biz'
- - '*.ddns01.com'
- - '*.dns53.biz'
- - '*.dnsapi.info'
- - '*.dnsd.info'
- - '*.dnsdynamic.com'
- - '*.dnsdynamic.net'
- - '*.dnsget.org'
- - '*.fe100.net'
- - '*.flashserv.net'
- - '*.ftp21.net'
- - '*.http01.com'
- - '*.http80.info'
- - '*.https443.com'
- - '*.imap01.com'
- - '*.kadm5.com'
- - '*.mysq1.net'
- - '*.ns360.info'
- - '*.ntdll.net'
- - '*.ole32.com'
- - '*.proxy8080.com'
- - '*.sql01.com'
- - '*.ssh01.com'
- - '*.ssh22.net'
- - '*.tempors.com'
- - '*.tftpd.net'
- - '*.ttl60.com'
- - '*.ttl60.org'
- - '*.user32.com'
- - '*.voip01.com'
- - '*.wow64.net'
- - '*.x64.me'
- - '*.xns01.com'
- - '*.dyndns.org'
- - '*.dyndns.info'
- - '*.dyndns.tv'
- - '*.dyndns-at-home.com'
- - '*.dnsomatic.com'
- - '*.zapto.org'
- - '*.webhop.net'
- - '*.25u.com'
- - '*.slyip.net'
+ r-dns|endswith:
+ - '.hopto.org'
+ - '.no-ip.org'
+ - '.no-ip.info'
+ - '.no-ip.biz'
+ - '.no-ip.com'
+ - '.noip.com'
+ - '.ddns.name'
+ - '.myftp.org'
+ - '.myftp.biz'
+ - '.serveblog.net'
+ - '.servebeer.com'
+ - '.servemp3.com'
+ - '.serveftp.com'
+ - '.servequake.com'
+ - '.servehalflife.com'
+ - '.servehttp.com'
+ - '.servegame.com'
+ - '.servepics.com'
+ - '.myvnc.com'
+ - '.ignorelist.com'
+ - '.jkub.com'
+ - '.dlinkddns.com'
+ - '.jumpingcrab.com'
+ - '.ddns.info'
+ - '.mooo.com'
+ - '.dns-dns.com'
+ - '.strangled.net'
+ - '.adultdns.net'
+ - '.craftx.biz'
+ - '.ddns01.com'
+ - '.dns53.biz'
+ - '.dnsapi.info'
+ - '.dnsd.info'
+ - '.dnsdynamic.com'
+ - '.dnsdynamic.net'
+ - '.dnsget.org'
+ - '.fe100.net'
+ - '.flashserv.net'
+ - '.ftp21.net'
+ - '.http01.com'
+ - '.http80.info'
+ - '.https443.com'
+ - '.imap01.com'
+ - '.kadm5.com'
+ - '.mysq1.net'
+ - '.ns360.info'
+ - '.ntdll.net'
+ - '.ole32.com'
+ - '.proxy8080.com'
+ - '.sql01.com'
+ - '.ssh01.com'
+ - '.ssh22.net'
+ - '.tempors.com'
+ - '.tftpd.net'
+ - '.ttl60.com'
+ - '.ttl60.org'
+ - '.user32.com'
+ - '.voip01.com'
+ - '.wow64.net'
+ - '.x64.me'
+ - '.xns01.com'
+ - '.dyndns.org'
+ - '.dyndns.info'
+ - '.dyndns.tv'
+ - '.dyndns-at-home.com'
+ - '.dnsomatic.com'
+ - '.zapto.org'
+ - '.webhop.net'
+ - '.25u.com'
+ - '.slyip.net'
condition: selection
fields:
- cs-ip
@@ -112,4 +112,4 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1105
- - attack.t1568
\ No newline at end of file
+ - attack.t1568
diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml
index 26fb1c0ebd9..76081c8d814 100644
--- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml
+++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml
@@ -33,73 +33,73 @@ detection:
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
- r-dns:
+ r-dns|endswith:
# Symantec / Chris Larsen analysis
- - '*.country'
- - '*.stream'
- - '*.gdn'
- - '*.mom'
- - '*.xin'
- - '*.kim'
- - '*.men'
- - '*.loan'
- - '*.download'
- - '*.racing'
- - '*.online'
- - '*.science'
- - '*.ren'
- - '*.gb'
- - '*.win'
- - '*.top'
- - '*.review'
- - '*.vip'
- - '*.party'
- - '*.tech'
- - '*.xyz'
- - '*.date'
- - '*.faith'
- - '*.zip'
- - '*.cricket'
- - '*.space'
+ - '.country'
+ - '.stream'
+ - '.gdn'
+ - '.mom'
+ - '.xin'
+ - '.kim'
+ - '.men'
+ - '.loan'
+ - '.download'
+ - '.racing'
+ - '.online'
+ - '.science'
+ - '.ren'
+ - '.gb'
+ - '.win'
+ - '.top'
+ - '.review'
+ - '.vip'
+ - '.party'
+ - '.tech'
+ - '.xyz'
+ - '.date'
+ - '.faith'
+ - '.zip'
+ - '.cricket'
+ - '.space'
# McAfee report
- - '*.info'
- - '*.vn'
- - '*.cm'
- - '*.am'
- - '*.cc'
- - '*.asia'
- - '*.ws'
- - '*.tk'
- - '*.biz'
- - '*.su'
- - '*.st'
- - '*.ro'
- - '*.ge'
- - '*.ms'
- - '*.pk'
- - '*.nu'
- - '*.me'
- - '*.ph'
- - '*.to'
- - '*.tt'
- - '*.name'
- - '*.tv'
- - '*.kz'
- - '*.tc'
- - '*.mobi'
+ - '.info'
+ - '.vn'
+ - '.cm'
+ - '.am'
+ - '.cc'
+ - '.asia'
+ - '.ws'
+ - '.tk'
+ - '.biz'
+ - '.su'
+ - '.st'
+ - '.ro'
+ - '.ge'
+ - '.ms'
+ - '.pk'
+ - '.nu'
+ - '.me'
+ - '.ph'
+ - '.to'
+ - '.tt'
+ - '.name'
+ - '.tv'
+ - '.kz'
+ - '.tc'
+ - '.mobi'
# Spamhaus
- - '*.study'
- - '*.click'
- - '*.link'
- - '*.trade'
- - '*.accountant'
+ - '.study'
+ - '.click'
+ - '.link'
+ - '.trade'
+ - '.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- - '*.cf'
- - '*.gq'
- - '*.ml'
- - '*.ga'
+ - '.cf'
+ - '.gq'
+ - '.ml'
+ - '.ga'
# Custom
- - '*.pw'
+ - '.pw'
condition: selection
fields:
- ClientIP
@@ -113,4 +113,4 @@ tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- - attack.t1204 # an old one
\ No newline at end of file
+ - attack.t1204 # an old one
diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml
index 9b66a43ad14..9b9200c5df6 100644
--- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml
+++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml
@@ -29,25 +29,25 @@ detection:
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
- r-dns:
- - '*.com'
- - '*.org'
- - '*.net'
- - '*.edu'
- - '*.gov'
- - '*.uk'
- - '*.ca'
- - '*.de'
- - '*.jp'
- - '*.fr'
- - '*.au'
- - '*.us'
- - '*.ch'
- - '*.it'
- - '*.nl'
- - '*.se'
- - '*.no'
- - '*.es'
+ r-dns|endswith:
+ - '.com'
+ - '.org'
+ - '.net'
+ - '.edu'
+ - '.gov'
+ - '.uk'
+ - '.ca'
+ - '.de'
+ - '.jp'
+ - '.fr'
+ - '.au'
+ - '.us'
+ - '.ch'
+ - '.it'
+ - '.nl'
+ - '.se'
+ - '.no'
+ - '.es'
# Extend this list as needed
condition: selection and not filter
fields:
diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml
index 472ec041d3b..c1a8bf30f64 100644
--- a/rules/proxy/proxy_downloadcradle_webdav.yml
+++ b/rules/proxy/proxy_downloadcradle_webdav.yml
@@ -11,7 +11,7 @@ logsource:
category: proxy
detection:
selection:
- c-useragent: 'Microsoft-WebDAV-MiniRedir/*'
+ c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
fields:
@@ -27,4 +27,4 @@ level: high
tags:
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml
index 9501f8f1f7d..a1f1ee1a068 100644
--- a/rules/proxy/proxy_ios_implant.yml
+++ b/rules/proxy/proxy_ios_implant.yml
@@ -12,7 +12,7 @@ logsource:
category: proxy
detection:
selection:
- c-uri: '*/list/suc?name=*'
+ c-uri|contains: '/list/suc?name='
condition: selection
fields:
- ClientIP
@@ -30,4 +30,4 @@ tags:
- attack.credential_access
- attack.t1528
- attack.t1552.001
- - attack.t1081 # an old one
\ No newline at end of file
+ - attack.t1081 # an old one
diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml
index c03e2182ae7..f3d91771eb3 100644
--- a/rules/proxy/proxy_powershell_ua.yml
+++ b/rules/proxy/proxy_powershell_ua.yml
@@ -11,7 +11,7 @@ logsource:
category: proxy
detection:
selection:
- c-useragent: '* WindowsPowerShell/*'
+ c-useragent|contains: ' WindowsPowerShell/'
condition: selection
fields:
- ClientIP
@@ -24,4 +24,4 @@ level: medium
tags:
- attack.defense_evasion
- attack.command_and_control
- - attack.t1071.001
\ No newline at end of file
+ - attack.t1071.001
diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml
index 402bcb5145f..521ab197a56 100644
--- a/rules/proxy/proxy_susp_flash_download_loc.yml
+++ b/rules/proxy/proxy_susp_flash_download_loc.yml
@@ -4,17 +4,17 @@ status: experimental
description: Detects a flashplayer update from an unofficial location
author: Florian Roth
date: 2017/10/25
+modified: 2020/11/28
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
logsource:
category: proxy
detection:
selection:
- c-uri-query:
- - '*/install_flash_player.exe'
- - '*/flash_install.php*'
+ - c-uri-query|contains: '/flash_install.php'
+ - c-uri-query|endswith: '/install_flash_player.exe'
filter:
- c-uri-stem: '*.adobe.com/*'
+ c-uri-stem|contains: '.adobe.com/'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
@@ -27,4 +27,4 @@ tags:
- attack.t1204 # an old one
- attack.defense_evasion
- attack.t1036.005
- - attack.t1036 # an old one
\ No newline at end of file
+ - attack.t1036 # an old one
diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml
index a4a79014f6f..eda3a5ef940 100644
--- a/rules/proxy/proxy_telegram_api.yml
+++ b/rules/proxy/proxy_telegram_api.yml
@@ -16,10 +16,10 @@ detection:
r-dns:
- 'api.telegram.org' # Often used by Bots
filter:
- c-useragent:
+ c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- - '*Telegram*'
- - '*Bot*'
+ - 'Telegram'
+ - 'Bot'
condition: selection and not filter
fields:
- ClientIP
diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml
index 8418b05c9ed..0c51fd03536 100644
--- a/rules/proxy/proxy_ua_apt.yml
+++ b/rules/proxy/proxy_ua_apt.yml
@@ -49,6 +49,7 @@ detection:
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
+ - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
condition: selection
fields:
- ClientIP
diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
index f3199403624..d0c169d4e25 100644
--- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
@@ -9,13 +9,13 @@ logsource:
category: proxy
detection:
selection:
- c-useragent:
- - 'Microsoft BITS/*'
+ c-useragent|startswith:
+ - 'Microsoft BITS/'
falsepositives:
- r-dns:
- - '*.com'
- - '*.net'
- - '*.org'
+ r-dns|endswith:
+ - '.com'
+ - '.net'
+ - '.org'
condition: selection and not falsepositives
fields:
- ClientIP
@@ -30,4 +30,4 @@ tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- - attack.s0190
\ No newline at end of file
+ - attack.s0190
diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml
index d1d0b763d11..ea4a3bd2654 100644
--- a/rules/proxy/proxy_ua_cryptominer.yml
+++ b/rules/proxy/proxy_ua_cryptominer.yml
@@ -12,11 +12,11 @@ logsource:
category: proxy
detection:
selection:
- c-useragent:
+ c-useragent|startswith:
# XMRig
- - 'XMRig *'
+ - 'XMRig '
# CCMiner
- - 'ccminer*'
+ - 'ccminer'
condition: selection
fields:
- ClientIP
@@ -27,4 +27,4 @@ falsepositives:
level: high
tags:
- attack.command_and_control
- - attack.t1071.001
\ No newline at end of file
+ - attack.t1071.001
diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml
index 7ebcc109b40..1e2f96537fd 100644
--- a/rules/proxy/proxy_ua_hacktool.yml
+++ b/rules/proxy/proxy_ua_hacktool.yml
@@ -12,58 +12,58 @@ logsource:
category: proxy
detection:
selection:
- c-useragent:
- # Vulnerability scanner and brute force tools
- - '*(hydra)*'
- - '* arachni/*'
- - '* BFAC *'
- - '* brutus *'
- - '* cgichk *'
- - '*core-project/1.0*'
- - '* crimscanner/*'
- - '*datacha0s*'
- - '*dirbuster*'
- - '*domino hunter*'
- - '*dotdotpwn*'
- - 'FHScan Core'
- - '*floodgate*'
- - '*get-minimal*'
- - '*gootkit auto-rooter scanner*'
- - '*grendel-scan*'
- - '* inspath *'
- - '*internet ninja*'
- - '*jaascois*'
- - '* zmeu *'
- - '*masscan*'
- - '* metis *'
- - '*morfeus fucking scanner*'
- - '*n-stealth*'
- - '*nsauditor*'
- - '*pmafind*'
- - '*security scan*'
- - '*springenwerk*'
- - '*teh forest lobster*'
- - '*toata dragostea*'
- - '* vega/*'
- - '*voideye*'
- - '*webshag*'
- - '*webvulnscan*'
- - '* whcc/*'
+ c-useragent|contains:
+ # Vulnerbility scanner and brute force tools
+ - '(hydra)'
+ - ' arachni/'
+ - ' BFAC '
+ - ' brutus '
+ - ' cgichk '
+ - 'core-project/1.0'
+ - ' crimscanner/'
+ - 'datacha0s'
+ - 'dirbuster'
+ - 'domino hunter'
+ - 'dotdotpwn'
+ - 'FHScan Core'
+ - 'floodgate'
+ - 'get-minimal'
+ - 'gootkit auto-rooter scanner'
+ - 'grendel-scan'
+ - ' inspath '
+ - 'internet ninja'
+ - 'jaascois'
+ - ' zmeu '
+ - 'masscan'
+ - ' metis '
+ - 'morfeus fucking scanner'
+ - 'n-stealth'
+ - 'nsauditor'
+ - 'pmafind'
+ - 'security scan'
+ - 'springenwerk'
+ - 'teh forest lobster'
+ - 'toata dragostea'
+ - ' vega/'
+ - 'voideye'
+ - 'webshag'
+ - 'webvulnscan'
+ - ' whcc/'
- # SQL Injection
- - '* Havij'
- - '*absinthe*'
- - '*bsqlbf*'
- - '*mysqloit*'
- - '*pangolin*'
- - '*sql power injector*'
- - '*sqlmap*'
- - '*sqlninja*'
- - '*uil2pn*'
+ # SQL Injection
+ - ' Havij'
+ - 'absinthe'
+ - 'bsqlbf'
+ - 'mysqloit'
+ - 'pangolin'
+ - 'sql power injector'
+ - 'sqlmap'
+ - 'sqlninja'
+ - 'uil2pn'
- # Hack tool
- - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
+ # Hack tool
+ - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
+ - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
fields:
- ClientIP
@@ -76,4 +76,4 @@ tags:
- attack.initial_access
- attack.t1190
- attack.credential_access
- - attack.t1110
\ No newline at end of file
+ - attack.t1110
diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml
index 682ff4b7253..1445ed4f3fd 100644
--- a/rules/proxy/proxy_ursnif_malware.yml
+++ b/rules/proxy/proxy_ursnif_malware.yml
@@ -4,12 +4,15 @@ status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
-modified: 2020/09/03
+modified: 2020/11/28
logsource:
category: proxy
detection:
selection:
- c-uri: '*/*.php?l=*.cab'
+ c-uri|contains|all:
+ - '/'
+ - '.php?l='
+ c-uri|endswith: '.cab'
sc-status: 200
condition: selection
fields:
@@ -32,13 +35,13 @@ logsource:
category: proxy
detection:
b64encoding:
- c-uri:
- - "*_2f*"
- - "*_2b*"
+ c-uri|contains:
+ - "_2f"
+ - "_2b"
urlpatterns:
- c-uri|all:
- - "*.avi"
- - "*/images/*"
+ c-uri|contains|all:
+ - ".avi"
+ - "/images/"
condition: b64encoding and urlpatterns
fields:
- c-ip
@@ -56,4 +59,4 @@ tags:
- attack.t1204.002
- attack.t1204 # an old one
- attack.command_and_control
- - attack.t1071.001
\ No newline at end of file
+ - attack.t1071.001
diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml
new file mode 100644
index 00000000000..8a240ab4023
--- /dev/null
+++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml
@@ -0,0 +1,30 @@
+title: CVE-2021-21978 Exploitation Attempt
+id: 77586a7f-7ea4-4c41-b19c-820140b84ca9
+status: experimental
+description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
+author: Bhabesh Raj
+date: 2020/03/10
+references:
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978
+ - https://twitter.com/wugeej/status/1369476795255320580
+ - https://paper.seebug.org/1495/
+logsource:
+ category: webserver
+detection:
+ selection:
+ cs-method: 'POST'
+ c-uri|contains|all:
+ - 'logupload'
+ - 'logMetaData'
+ - 'wsgi_log_upload.py'
+ condition: selection
+fields:
+ - c-ip
+ - c-dns
+falsepositives:
+ - None
+level: high
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - cve.2021-21978
\ No newline at end of file
diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml
new file mode 100644
index 00000000000..672226f457c
--- /dev/null
+++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml
@@ -0,0 +1,25 @@
+title: Exploitation of CVE-2021-26814 in Wazuh
+id: b9888738-29ed-4c54-96a4-f38c57b84bb3
+status: experimental
+description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
+author: Florian Roth
+date: 2021/05/22
+references:
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
+ - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
+logsource:
+ category: webserver
+detection:
+ selection:
+ c-uri|contains: '/manager/files?path=etc/lists/../../../../..'
+ condition: selection
+fields:
+ - c-ip
+ - c-dns
+falsepositives:
+ - None
+level: high
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - cve.2021-21978
\ No newline at end of file
diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml
index a813d613c49..cb06e1d0ff3 100644
--- a/rules/web/web_exchange_exploitation_hafnium.yml
+++ b/rules/web/web_exchange_exploitation_hafnium.yml
@@ -1,7 +1,7 @@
title: Exchange Exploitation Used by HAFNIUM
id: 67bce556-312f-4c81-9162-c3c9ff2599b2
status: experimental
-description: Detects CVE-2020-0688 Exploitation attempts
+description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
diff --git a/rules/web/web_expl_exchange_cve_2021_28480.yml b/rules/web/web_expl_exchange_cve_2021_28480.yml
new file mode 100644
index 00000000000..62cd6efd541
--- /dev/null
+++ b/rules/web/web_expl_exchange_cve_2021_28480.yml
@@ -0,0 +1,23 @@
+title: Exchange Exploitation CVE-2021-28480
+id: a2a9d722-0acb-4096-bccc-daaf91a5037b
+status: experimental
+description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480
+references:
+ - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
+author: Florian Roth
+date: 2021/05/14
+tags:
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ category: webserver
+detection:
+ selection:
+ c-uri|contains: '/owa/calendar/a'
+ cs-method: 'POST'
+ filter:
+ sc-status: 503
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: critical
\ No newline at end of file
diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml
new file mode 100644
index 00000000000..578db765ece
--- /dev/null
+++ b/rules/web/web_nginx_core_dump.yml
@@ -0,0 +1,20 @@
+title: Nginx Core Dump
+id: 59ec40bb-322e-40ab-808d-84fa690d7e56
+description: Detects a core dump of a creashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts
+author: Florian Roth
+date: 2021/05/31
+references:
+ - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
+ - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
+logsource:
+ product: apache
+detection:
+ keywords:
+ - 'exited on signal 6 (core dumped)'
+ condition: keywords
+falsepositives:
+ - Serious issues with a configuration or plugin
+level: high
+tags:
+ - attack.impact
+ - attack.t1499.004
\ No newline at end of file
diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml
index fc068bf4e7b..b4ccdb5c3d1 100644
--- a/rules/web/win_webshell_regeorg.yml
+++ b/rules/web/win_webshell_regeorg.yml
@@ -13,11 +13,11 @@ logsource:
detection:
selection:
uri_query|contains:
- - '*cmd=read*'
- - '*connect&target*'
- - '*cmd=connect*'
- - '*cmd=disconnect*'
- - '*cmd=forward*'
+ - 'cmd=read'
+ - 'connect&target'
+ - 'cmd=connect'
+ - 'cmd=disconnect'
+ - 'cmd=forward'
filter:
referer: null
useragent: null
diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml
index b44e64c2433..669bcdaa58e 100644
--- a/rules/windows/builtin/win_GPO_scheduledtasks.yml
+++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml
@@ -19,8 +19,10 @@ detection:
selection:
EventID: 5145
ShareName: \\*\SYSVOL
- RelativeTargetName: '*ScheduledTasks.xml'
- Accesses: '*WriteData*'
+ RelativeTargetName|endswith: 'ScheduledTasks.xml'
+ Accesses|contains:
+ - 'WriteData'
+ - '%%4417'
condition: selection
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml
index d7d9b1ce6c9..a6705cb8845 100644
--- a/rules/windows/builtin/win_account_discovery.yml
+++ b/rules/windows/builtin/win_account_discovery.yml
@@ -21,18 +21,20 @@ detection:
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
- ObjectName:
- - '*-512'
- - '*-502'
- - '*-500'
- - '*-505'
- - '*-519'
- - '*-520'
- - '*-544'
- - '*-551'
- - '*-555'
- - '*admin*'
- condition: selection
+ selection_object:
+ - ObjectName|endswith:
+ - '-512'
+ - '-502'
+ - '-500'
+ - '-505'
+ - '-519'
+ - '-520'
+ - '-544'
+ - '-551'
+ - '-555'
+ - ObjectName|contains:
+ - 'admin'
+ condition: selection and selection_object
falsepositives:
- if source account name is not an admin then its super suspicious
level: high
diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml
index 60a4c5974c3..b3ebbc9421b 100644
--- a/rules/windows/builtin/win_ad_object_writedac_access.yml
+++ b/rules/windows/builtin/win_ad_object_writedac_access.yml
@@ -5,7 +5,7 @@ status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
+ - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
tags:
- attack.defense_evasion
- attack.t1222 # an old one
diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml
index fcdb3ee67bb..2fe27687b31 100644
--- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml
+++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml
@@ -6,7 +6,7 @@ date: 2019/07/26
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
+ - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
tags:
- attack.credential_access
- attack.t1003 # an old one
diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml
index c276804b09d..99aa6af168b 100644
--- a/rules/windows/builtin/win_admin_rdp_login.yml
+++ b/rules/windows/builtin/win_admin_rdp_login.yml
@@ -23,7 +23,7 @@ detection:
EventID: 4624
LogonType: 10
AuthenticationPackageName: Negotiate
- AccountName: 'Admin-*'
+ AccountName|startswith: 'Admin-'
condition: selection
falsepositives:
- Legitimate administrative activity
diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml
index 22919f3bcbf..33ea1151224 100644
--- a/rules/windows/builtin/win_admin_share_access.yml
+++ b/rules/windows/builtin/win_admin_share_access.yml
@@ -18,7 +18,7 @@ detection:
EventID: 5140
ShareName: Admin$
filter:
- SubjectUserName: '*$'
+ SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Legitimate administrative activity
diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml
index 882bda89ca0..078f02eb02e 100644
--- a/rules/windows/builtin/win_alert_active_directory_user_control.yml
+++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml
@@ -17,8 +17,8 @@ detection:
selection:
EventID: 4704
keywords:
- Message:
- - '*SeEnableDelegationPrivilege*'
+ Message|contains:
+ - 'SeEnableDelegationPrivilege'
condition: all of them
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
index ad1a2174c5d..c0904ce5339 100644
--- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml
+++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
@@ -18,13 +18,13 @@ detection:
selection:
EventID: 4738
keywords:
- Message:
- - '*DES*'
- - '*Preauth*'
- - '*Encrypted*'
+ Message|contains:
+ - 'DES'
+ - 'Preauth'
+ - 'Encrypted'
filters:
- Message:
- - '*Enabled*'
+ Message|contains:
+ - 'Enabled'
condition: selection and keywords and filters
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml
index 3c6ec77fc19..a2cddf48a72 100644
--- a/rules/windows/builtin/win_alert_lsass_access.yml
+++ b/rules/windows/builtin/win_alert_lsass_access.yml
@@ -17,7 +17,7 @@ logsource:
detection:
selection:
EventID: 1121
- Path: '*\lsass.exe'
+ Path|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Google Chrome GoogleUpdate.exe
diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
index 34f43994ab5..1280bd7674e 100644
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@@ -19,17 +19,17 @@ logsource:
product: windows
detection:
keywords:
- Message:
- - "* mimikatz *"
- - "* mimilib *"
- - "* <3 eo.oe *"
- - "* eo.oe.kiwi *"
- - "* privilege::debug *"
- - "* sekurlsa::logonpasswords *"
- - "* lsadump::sam *"
- - "* mimidrv.sys *"
- - "* p::d *"
- - "* s::l *"
+ Message|contains:
+ - "mimikatz"
+ - "mimilib"
+ - "<3 eo.oe"
+ - "eo.oe.kiwi"
+ - "privilege::debug"
+ - "sekurlsa::logonpasswords"
+ - "lsadump::sam"
+ - "mimidrv.sys"
+ - " p::d "
+ - " s::l "
condition: keywords
falsepositives:
- Naughty administrators
diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml
index 4d07c30773a..1d61e8bfeb1 100755
--- a/rules/windows/builtin/win_apt_stonedrill.yml
+++ b/rules/windows/builtin/win_apt_stonedrill.yml
@@ -17,7 +17,7 @@ detection:
selection:
EventID: 7045
ServiceName: NtsSrv
- ServiceFileName: '* LocalService'
+ ServiceFileName|endswith: ' LocalService'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
new file mode 100644
index 00000000000..49d00cae76f
--- /dev/null
+++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
@@ -0,0 +1,30 @@
+title: Arbitrary Shell Command Execution Via Settingcontent-Ms
+id: 24de4f3b-804c-4165-b442-5a06a2302c7e
+description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
+author: Sreeman
+date: 2020/13/03
+modified: 2021/06/11
+references:
+ - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+tags:
+ - attack.t1204
+ - attack.t1193
+ - attack.execution
+ - attack.initial_access
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ CommandLine|contains: '.SettingContent-ms'
+ filter:
+ FilePath|contains:
+ - 'immersivecontrolpanel'
+ condition: selection and not filter
+falsepositives:
+ - unknown
+fields:
+ - ParentProcess
+ - CommandLine
+ - ParentCommandLine
+level: medium
diff --git a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml
new file mode 100644
index 00000000000..09845cc8742
--- /dev/null
+++ b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml
@@ -0,0 +1,25 @@
+title: Using AppVLP To Circumvent ASR File Path Rule
+id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
+status: experimental
+description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file'
+author: Sreeman
+date: 2020/13/03
+modified: 2021/06/11
+tags:
+ - attack.t1218
+ - attack.defense_evasion
+ - attack.execution
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ CommandLine|re: '(?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)'
+ condition: selection
+falsepositives:
+ - unknown
+fields:
+ - ParentProcess
+ - CommandLine
+ - ParentCommandLine
+level: medium
\ No newline at end of file
diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml
index 037db2528d3..c0f68564f6a 100644
--- a/rules/windows/builtin/win_atsvc_task.yml
+++ b/rules/windows/builtin/win_atsvc_task.yml
@@ -21,7 +21,7 @@ detection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: atsvc
- Accesses: '*WriteData*'
+ Accesses|contains: 'WriteData'
condition: selection
falsepositives:
- pentesting
diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml
index 14191d944dc..cbf84be0e31 100644
--- a/rules/windows/builtin/win_av_relevant_match.yml
+++ b/rules/windows/builtin/win_av_relevant_match.yml
@@ -9,34 +9,32 @@ logsource:
service: application
detection:
keywords:
- Message:
- - "*HTool*"
- - "*Hacktool*"
- - "*ASP/Backdoor*"
- - "*JSP/Backdoor*"
- - "*PHP/Backdoor*"
- - "*Backdoor.ASP*"
- - "*Backdoor.JSP*"
- - "*Backdoor.PHP*"
- - "*Webshell*"
- - "*Portscan*"
- - "*Mimikatz*"
- - "*WinCred*"
- - "*PlugX*"
- - "*Korplug*"
- - "*Pwdump*"
- - "*Chopper*"
- - "*WmiExec*"
- - "*Xscan*"
- - "*Clearlog*"
- - "*ASPXSpy*"
- - "*Seatbelt*"
- - "*sbelt*"
- filters:
- Message:
- - "*Keygen*"
- - "*Crack*"
- condition: keywords and not 1 of filters
+ Message|contains:
+ - "HTool"
+ - "Hacktool"
+ - "ASP/Backdoor"
+ - "JSP/Backdoor"
+ - "PHP/Backdoor"
+ - "Backdoor.ASP"
+ - "Backdoor.JSP"
+ - "Backdoor.PHP"
+ - "Webshell"
+ - "Portscan"
+ - "Mimikatz"
+ - "WinCred"
+ - "PlugX"
+ - "Korplug"
+ - "Pwdump"
+ - "Chopper"
+ - "WmiExec"
+ - "Xscan"
+ - "Clearlog"
+ - "ASPXSpy"
+ filter:
+ Message|contains:
+ - "Keygen"
+ - "Crack"
+ condition: keywords and not filter
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
diff --git a/rules/windows/builtin/win_camera_microphone_access.yml b/rules/windows/builtin/win_camera_microphone_access.yml
new file mode 100644
index 00000000000..66ffcb1e29f
--- /dev/null
+++ b/rules/windows/builtin/win_camera_microphone_access.yml
@@ -0,0 +1,29 @@
+title: Processes Accessing the Microphone and Webcam
+id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
+description: Potential adversaries accessing the microphone and webcam in an endpoint.
+status: experimental
+date: 2020/06/07
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.collection
+ - attack.t1123
+references:
+ - https://twitter.com/duzvik/status/1269671601852813320
+ - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID:
+ - 4657
+ - 4656
+ - 4663
+ selection2:
+ ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged'
+ selection3:
+ ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged'
+ condition: selection1 and (selection2 or selection3)
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000000..9834aee8670
--- /dev/null
+++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml
@@ -0,0 +1,34 @@
+title: CobaltStrike Service Installations
+id: 5a105d34-05fc-401e-8553-272b45c1522d
+description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
+author: Florian Roth, Wojciech Lesicki
+references:
+ - https://www.sans.org/webcasts/119395
+date: 2021/05/26
+modified: 2021/06/03
+tags:
+ - attack.execution
+ - attack.privilege_escalation
+ - attack.lateral_movement
+ - attack.t1021.002
+ - attack.t1543.003
+ - attack.t1569.002
+logsource:
+ product: windows
+ service: system
+detection:
+ selection1:
+ EventID: 7045
+ selection2:
+ ServiceFileName|contains|all:
+ - 'ADMIN$'
+ - '.exe'
+ selection3:
+ ServiceFileName|contains|all:
+ - '%COMSPEC%'
+ - 'start'
+ - 'powershell'
+ condition: selection1 and (selection2 or selection3)
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
new file mode 100644
index 00000000000..040b921f89b
--- /dev/null
+++ b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -0,0 +1,25 @@
+title: DCERPC SMB Spoolss Named Pipe
+id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
+description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
+status: experimental
+references:
+ - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+ - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
+ - https://twitter.com/_dirkjan/status/1309214379003588608
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+date: 2018/11/28
+author: OTR (Open Threat Research)
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 5145
+ ShareName: \\*\IPC$
+ RelativeTargetName: spoolss
+ condition: selection
+falsepositives:
+ - 'Domain Controllers acting as printer servers too? :)'
+level: medium
diff --git a/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml
new file mode 100644
index 00000000000..dc76cad1b48
--- /dev/null
+++ b/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml
@@ -0,0 +1,25 @@
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+id: c39f0c81-7348-4965-ab27-2fde35a1b641
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
+status: experimental
+date: 2020/10/12
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+ - attack.t1021.003
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 5145
+ RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
+ filter:
+ SubjectUserName|endswith: '$'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml
index cfe2bd114bc..d4406838cd4 100644
--- a/rules/windows/builtin/win_dcsync.yml
+++ b/rules/windows/builtin/win_dcsync.yml
@@ -19,18 +19,21 @@ logsource:
detection:
selection:
EventID: 4662
- Properties:
- - '*Replicating Directory Changes All*'
- - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+ Properties|contains:
+ - 'Replicating Directory Changes All'
+ - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
filter1:
SubjectDomainName: 'Window Manager'
filter2:
- SubjectUserName:
- - 'NT AUTHORITY*'
- - '*$'
- - 'MSOL_*'
- condition: selection and not filter1 and not filter2
+ SubjectUserName|startswith:
+ - 'NT AUTHORITY'
+ - 'MSOL_'
+ filter3:
+ SubjectUserName|endswith:
+ - '$'
+ condition: selection and not filter1 and not filter2 and not filter3
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
+ - Local Domain Admin account used for Azure AD Connect
level: high
diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
index b9d52b7e5be..f913f753184 100644
--- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
+++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
@@ -5,7 +5,7 @@ status: experimental
date: 2019/06/20
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
+ - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
tags:
- attack.credential_access
- attack.t1003 # an old one
diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
index a5a89c44533..c65a24252e0 100644
--- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
+++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
@@ -5,7 +5,7 @@ status: experimental
date: 2019/08/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
+ - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
tags:
- attack.credential_access
- attack.t1003 # an old one
diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml
index eb3392785be..c87885a4335 100644
--- a/rules/windows/builtin/win_global_catalog_enumeration.yml
+++ b/rules/windows/builtin/win_global_catalog_enumeration.yml
@@ -3,14 +3,16 @@ description: Detects enumeration of the global catalog (that can be performed us
author: Chakib Gzenayi (@Chak092), Hosni Mribah
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
date: 2020/05/11
-modified: 2020/08/23
+modified: 2021/06/01
+references:
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
tags:
- attack.discovery
- attack.t1087 # an old one
- attack.t1087.002
logsource:
product: windows
- service: system
+ service: security
definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
detection:
selection:
diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml
index 0140cbe324c..9a1d9139f93 100644
--- a/rules/windows/builtin/win_hack_smbexec.yml
+++ b/rules/windows/builtin/win_hack_smbexec.yml
@@ -20,7 +20,7 @@ detection:
service_installation:
EventID: 7045
ServiceName: 'BTOBTO'
- ServiceFileName: '*\execute.bat'
+ ServiceFileName|endswith: '\execute.bat'
condition: service_installation
fields:
- ServiceName
diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/win_hidden_user_creation.yml
new file mode 100644
index 00000000000..8dee8a7c33d
--- /dev/null
+++ b/rules/windows/builtin/win_hidden_user_creation.yml
@@ -0,0 +1,25 @@
+title: Hidden Local User Creation
+id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
+status: experimental
+tags:
+ - attack.persistence
+ - attack.t1136.001
+references:
+ - https://twitter.com/SBousseaden/status/1387743867663958021
+author: Christian Burkard
+date: 2021/05/03
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4720
+ TargetUserName|endswith: '$'
+ condition: selection
+fields:
+ - EventCode
+ - AccountName
+falsepositives:
+ - unkown
+level: high
diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml
new file mode 100644
index 00000000000..8731d1f9a74
--- /dev/null
+++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml
@@ -0,0 +1,23 @@
+title: HybridConnectionManager Service Installation
+id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
+description: Rule to detect the Hybrid Connection Manager service installation.
+status: experimental
+date: 2021/04/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.persistence
+references:
+ - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID:
+ - 4697
+ ServiceName: HybridConnectionManager
+ ServiceFileName|contains: HybridConnectionManager
+ condition: selection
+falsepositives:
+ - Legitimate use of Hybrid Connection Manager via Azure function apps.
+level: high
diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml
new file mode 100644
index 00000000000..7b0329fbe2c
--- /dev/null
+++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml
@@ -0,0 +1,28 @@
+title: HybridConnectionManager Service Running
+id: b55d23e5-6821-44ff-8a6e-67218891e49f
+description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
+status: experimental
+date: 2021/04/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.persistence
+references:
+ - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+ product: windows
+ service: Microsoft-ServiceBus-Client
+detection:
+ selection:
+ EventID:
+ - 40300
+ - 40301
+ - 40302
+ Message|contains:
+ - 'HybridConnection'
+ - 'sb://'
+ - 'servicebus.windows.net'
+ - 'HybridConnectionManage'
+ condition: selection
+falsepositives:
+ - Legitimate use of Hybrid Connection Manager via Azure function apps.
+level: high
diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml
index 720c99ed844..7706d4ee147 100644
--- a/rules/windows/builtin/win_impacket_secretdump.yml
+++ b/rules/windows/builtin/win_impacket_secretdump.yml
@@ -1,8 +1,9 @@
title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
description: Detect AD credential dumping using impacket secretdump HKTL
-author: Samir Bousseaden
+author: Samir Bousseaden, wagga
date: 2019/04/03
+modified: 2021/06/27
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
@@ -19,7 +20,9 @@ detection:
selection:
EventID: 5145
ShareName: \\*\ADMIN$
- RelativeTargetName: 'SYSTEM32\\*.tmp'
+ RelativeTargetName|contains|all:
+ - 'SYSTEM32\'
+ - '.tmp'
condition: selection
falsepositives:
- pentesting
diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
new file mode 100644
index 00000000000..b33bf0cb8a0
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation CLIP+ Launcher
+id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+modified: 2020/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
index e02bb5d0512..b76bdade56a 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
@@ -31,14 +31,14 @@ detection:
---
logsource:
product: windows
- service: sysmon
+ category: driver_load
detection:
selection:
EventID: 6
---
- logsource:
- product: windows
- service: security
- detection:
- selection:
- EventID: 4697
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
new file mode 100644
index 00000000000..3e8313bf7b6
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+modified: 2021/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
new file mode 100644
index 00000000000..317760bda62
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
@@ -0,0 +1,40 @@
+action: global
+title: Invoke-Obfuscation VAR+ Launcher
+id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+modified: 2021/06/10
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ condition: all of them
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: process_creation
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
new file mode 100644
index 00000000000..9664661b07d
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 175997c5-803c-4b08-8bb0-70b099f47595
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - unknown
+level: medium
+detection:
+ selection:
+ - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
new file mode 100644
index 00000000000..fcf7920ee31
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: medium
+detection:
+ selection:
+ - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
new file mode 100644
index 00000000000..df37801a0c7
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation Via Stdin
+id: 487c7524-f892-4054-b263-8a0ace63fc25
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+modified: 2021/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
new file mode 100644
index 00000000000..2bb42aec11f
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation Via Use Clip
+id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
new file mode 100644
index 00000000000..9ba4f8960c2
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation Via Use MSHTA
+id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
new file mode 100644
index 00000000000..84bf36fd030
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
@@ -0,0 +1,43 @@
+action: global
+title: Invoke-Obfuscation Via Use Rundll32
+id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+modified: 2021/05/27
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
new file mode 100644
index 00000000000..aaa51e80b4f
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection:
+ - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+ condition: selection and selection_eventid
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection_eventid:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ category: driver_load
+detection:
+ selection_eventid:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_eventid:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_iso_mount.yml b/rules/windows/builtin/win_iso_mount.yml
new file mode 100644
index 00000000000..40796d9e7bd
--- /dev/null
+++ b/rules/windows/builtin/win_iso_mount.yml
@@ -0,0 +1,27 @@
+title: ISO Image Mount
+id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
+description: Detects the mount of ISO images on an endpoint
+status: experimental
+date: 2021/05/29
+author: Syed Hasan (@syedhasan009)
+references:
+ - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
+ - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
+ - https://twitter.com/MsftSecIntel/status/1257324139515269121
+tags:
+ - attack.initial_access
+ - attack.t1566.001
+logsource:
+ product: windows
+ service: security
+ definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
+detection:
+ selection:
+ EventID: 4663
+ ObjectServer: 'Security'
+ ObjectType: 'File'
+ ObjectName: '\Device\CdRom*'
+ condition: selection
+falsepositives:
+ - Software installation ISO files
+level: medium
diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml
index 55bab5f3b57..548473bb9c9 100644
--- a/rules/windows/builtin/win_lsass_access_non_system_account.yml
+++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml
@@ -3,10 +3,10 @@ id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
description: Detects potential mimikatz-like tools accessing LSASS from non system account
status: experimental
date: 2019/06/20
-modified: 2019/11/10
+modified: 2021/03/17
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md
+ - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
tags:
- attack.credential_access
- attack.t1003 # an old one
@@ -19,11 +19,40 @@ detection:
EventID:
- 4663
- 4656
+ AccessMask:
+ - '0x40'
+ - '0x1400'
+ - '0x1000'
+ - '0x100000'
+ - '0x1410' # car.2019-04-004
+ - '0x1010' # car.2019-04-004
+ - '0x1438' # car.2019-04-004
+ - '0x143a' # car.2019-04-004
+ - '0x1418' # car.2019-04-004
+ - '0x1f0fff'
+ - '0x1f1fff'
+ - '0x1f2fff'
+ - '0x1f3fff'
+ - '40'
+ - '1400'
+ - '1000'
+ - '100000'
+ - '1410' # car.2019-04-004
+ - '1010' # car.2019-04-004
+ - '1438' # car.2019-04-004
+ - '143a' # car.2019-04-004
+ - '1418' # car.2019-04-004
+ - '1f0fff'
+ - '1f1fff'
+ - '1f2fff'
+ - '1f3fff'
ObjectType: 'Process'
ObjectName|endswith: '\lsass.exe'
- filter:
+ filter1:
SubjectUserName|endswith: '$'
- condition: selection and not filter
+ filter2:
+ ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions
+ condition: selection and not filter1 and not filter2
fields:
- ComputerName
- ObjectName
diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml
index 5158c39669f..6a71474a875 100644
--- a/rules/windows/builtin/win_mal_creddumper.yml
+++ b/rules/windows/builtin/win_mal_creddumper.yml
@@ -5,7 +5,7 @@ description: Detects well-known credential dumping tools execution via service e
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
date: 2017/03/05
-modified: 2020/08/23
+modified: 2021/03/18
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
@@ -21,7 +21,7 @@ tags:
- attack.t1569.002
- attack.s0005
detection:
- selection_1:
+ selection:
- ServiceName|contains:
- 'fgexec'
- 'wceservice'
@@ -39,8 +39,7 @@ detection:
- 'gsecdump'
- 'servpw'
- 'pwdump'
- - ImagePath|re: '((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)'
- condition: selection and selection_1
+ condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
@@ -54,10 +53,7 @@ detection:
---
logsource:
product: windows
- service: sysmon
-detection:
- selection:
- EventID: 6
+ category: driver_load
---
logsource:
product: windows
diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml
index 4bee531c4f7..5e9adf31e82 100644
--- a/rules/windows/builtin/win_mal_service_installs.yml
+++ b/rules/windows/builtin/win_mal_service_installs.yml
@@ -1,9 +1,9 @@
title: Malicious Service Installations
-id: 5a105d34-05fc-401e-8553-272b45c1522d
+id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
date: 2017/03/27
-modified: 2019/11/01
+modified: 2021/05/27
tags:
- attack.persistence
- attack.privilege_escalation
diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml
index df16fe30308..e188aa4479c 100644
--- a/rules/windows/builtin/win_mal_wceaux_dll.yml
+++ b/rules/windows/builtin/win_mal_wceaux_dll.yml
@@ -21,7 +21,7 @@ detection:
- 4658
- 4660
- 4663
- ObjectName: '*\wceaux.dll'
+ ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Penetration testing
diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
index 222cec98028..7e11837373e 100644
--- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -2,9 +2,9 @@ action: global
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
-author: Teymur Kheirkhabarov, Ecco
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
-modified: 2020/08/23
+modified: 2021/05/20
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@@ -14,7 +14,7 @@ tags:
- attack.t1134.001
- attack.t1134.002
detection:
- selection_1:
+ selection:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
@@ -27,12 +27,18 @@ detection:
- '/c'
- 'echo'
- '\pipe\'
+ # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+ - ServiceFileName|contains|all:
+ - 'cmd.exe'
+ - '/c'
+ - 'echo'
+ - '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
- condition: selection and selection_1
+ condition: selection
fields:
- ComputerName
- SubjectDomainName
@@ -51,14 +57,11 @@ detection:
---
logsource:
product: windows
- service: sysmon
+ category: driver_load
+---
+logsource:
+ product: windows
+ service: security
detection:
selection:
- EventID: 6
----
- logsource:
- product: windows
- service: security
- detection:
- selection:
- EventID: 4697
+ EventID: 4697
diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml
index 31b971d24f7..190dc1057a2 100644
--- a/rules/windows/builtin/win_mmc20_lateral_movement.yml
+++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml
@@ -16,9 +16,9 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\svchost.exe'
- Image: '*\mmc.exe'
- CommandLine: '*-Embedding*'
+ ParentImage|endswith: '\svchost.exe'
+ Image|endswith: '\mmc.exe'
+ CommandLine|contains: '-Embedding'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml
new file mode 100644
index 00000000000..70636d9fa08
--- /dev/null
+++ b/rules/windows/builtin/win_moriya_rootkit.yml
@@ -0,0 +1,34 @@
+action: global
+title: Moriya Rootkit
+id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
+status: experimental
+author: Bhabesh Raj
+date: 2021/05/06
+modified: 2021/05/12
+level: critical
+falsepositives:
+ - None
+references:
+ - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1543.003
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+ ServiceName: ZzNetSvc
+ condition: selection
+---
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
+ condition: selection
diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml
index b0429c5325e..4269933d478 100644
--- a/rules/windows/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml
@@ -4,14 +4,35 @@ id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
description: Detects NetNTLM downgrade attack
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-author: Florian Roth
+author: Florian Roth, wagga
date: 2018/03/20
-modified: 2021/02/24
+modified: 2021/06/27
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
- attack.t1112
+detection:
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: critical
+---
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection1:
+ TargetObject|contains|all:
+ - 'SYSTEM\'
+ - 'ControlSet'
+ - '\Control\Lsa'
+ TargetObject|endswith:
+ - '\lmcompatibilitylevel'
+ - '\NtlmMinClientSec'
+ - '\RestrictSendingNTLMTraffic'
+
+---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
@@ -20,7 +41,10 @@ logsource:
detection:
selection:
EventID: 4657
- ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
+ ObjectName|contains|all:
+ - '\REGISTRY\MACHINE\SYSTEM'
+ - 'ControlSet'
+ - '\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
@@ -28,4 +52,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/builtin/win_net_use_admin_share.yml
new file mode 100644
index 00000000000..e652c7c8112
--- /dev/null
+++ b/rules/windows/builtin/win_net_use_admin_share.yml
@@ -0,0 +1,27 @@
+title: Mounted Windows Admin Shares with net.exe
+id: 3abd6094-7027-475f-9630-8ab9be7b9725
+status: experimental
+description: Detects when an admin share is mounted using net.exe
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga'
+date: 2020/10/05
+modified: 2021/06/27
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains|all:
+ - ' use '
+ - '\\\*\\*$' # (Specs) If some wildcard after a backslash should be searched, the backslash has to be escaped: \\*
+ condition: selection
+falsepositives:
+ - Administrators
+level: medium
diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/win_possible_dc_shadow.yml
index f227cd53831..280873fed5d 100644
--- a/rules/windows/builtin/win_possible_dc_shadow.yml
+++ b/rules/windows/builtin/win_possible_dc_shadow.yml
@@ -18,11 +18,11 @@ logsource:
detection:
selection1:
EventID: 4742
- ServicePrincipalNames: '*GC/*'
+ ServicePrincipalNames|contains: 'GC/'
selection2:
EventID: 5136
LDAPDisplayName: servicePrincipalName
- Value: 'GC/*'
+ Value|startswith: 'GC/'
condition: selection1 OR selection2
falsepositives:
- Exclude known DCs
diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000000..01652c7c671
--- /dev/null
+++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml
@@ -0,0 +1,43 @@
+action: global
+title: PowerShell Scripts Installed as Services
+id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+description: Detects powershell script installed as a Service
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+modified: 2021/05/21
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1569.002
+detection:
+ powershell_as_service:
+ ServiceFileName|contains:
+ - 'powershell'
+ - 'pwsh'
+ condition: service_creation and powershell_as_service
+falsepositives:
+ - Unknown
+level: high
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ service_creation:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ service_creation:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ service_creation:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
new file mode 100644
index 00000000000..25f9d8143a6
--- /dev/null
+++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
@@ -0,0 +1,28 @@
+title: 'Possible Zerologon (CVE-2020-1472) Exploitation'
+id: dd7876d8-0f09-11eb-adc1-0242ac120002
+status: experimental
+description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+references:
+ - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+ - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+author: 'Aleksandr Akhremchik, @aleqs4ndr, ocsd.community'
+date: 2020/10/15
+tags:
+ - attack.t1068
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4742
+ SourceUserName: 'ANONYMOUS LOGON'
+ TargetUserName: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
+ filter:
+ ChangedAttributes|contains:
+ - 'Password Last Set: -'
+ condition: selection and not filter
+falsepositives:
+ - automatic DC computer account password change
+ - legitimate DC computer account password change
+level: high
diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml
index 263de756b66..cd0a8900a3d 100644
--- a/rules/windows/builtin/win_protected_storage_service_access.yml
+++ b/rules/windows/builtin/win_protected_storage_service_access.yml
@@ -6,7 +6,7 @@ date: 2019/08/10
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
+ - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
tags:
- attack.lateral_movement
- attack.t1021 # an old one
@@ -22,4 +22,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml
index 9723914b073..3de3b459a26 100644
--- a/rules/windows/builtin/win_remote_powershell_session.yml
+++ b/rules/windows/builtin/win_remote_powershell_session.yml
@@ -1,11 +1,12 @@
-title: Remote PowerShell Sessions
+title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
-description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
+description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
status: experimental
date: 2019/09/12
+modified: 2021/05/21
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1086 # an old one
diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml
new file mode 100644
index 00000000000..d0f67207f15
--- /dev/null
+++ b/rules/windows/builtin/win_root_certificate_installed.yml
@@ -0,0 +1,47 @@
+action: global
+title: Root Certificate Installed
+id: 42821614-9264-4761-acfc-5772c3286f76
+status: experimental
+description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/10
+tags:
+ - attack.defense_evasion
+ - attack.t1553.004
+level: medium
+falsepositives:
+ - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
+detection:
+ condition: 1 of them
+---
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection1:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'Move-Item'
+ - 'Cert:\LocalMachine\Root'
+ selection2:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'Import-Certificate'
+ - 'Cert:\LocalMachine\Root'
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der
+ CommandLine|contains|all:
+ - '-addstore'
+ - 'root'
+ selection2:
+ Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
+ CommandLine|contains|all:
+ - '/add'
+ - 'root'
diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml
index f5d90abbbd8..da2eac46f24 100644
--- a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml
+++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml
@@ -6,7 +6,7 @@ date: 2019/08/12
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md
+ - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html
tags:
- attack.discovery
- attack.t1012
diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml
index 865cbc5b14e..bf753fdca32 100644
--- a/rules/windows/builtin/win_scm_database_handle_failure.yml
+++ b/rules/windows/builtin/win_scm_database_handle_failure.yml
@@ -5,7 +5,7 @@ status: experimental
date: 2019/08/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
+ - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
tags:
- attack.discovery
logsource:
@@ -17,8 +17,9 @@ detection:
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
Keywords: "Audit Failure"
+ filter:
SubjectLogonId: "0x3e4"
- condition: selection
+ condition: selection and not filter
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml
index 9c9df1cb1bc..9501875ab42 100644
--- a/rules/windows/builtin/win_scm_database_privileged_operation.yml
+++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml
@@ -5,7 +5,7 @@ status: experimental
date: 2019/08/15
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
+ - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
logsource:
product: windows
service: security
@@ -15,8 +15,9 @@ detection:
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
PrivilegeList: 'SeTakeOwnershipPrivilege'
+ filter:
SubjectLogonId: "0x3e4"
- condition: selection
+ condition: selection and not filter
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000000..ea32b4b6a25
--- /dev/null
+++ b/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml
@@ -0,0 +1,27 @@
+title: Remote WMI ActiveScriptEventConsumers
+id: 9599c180-e3a8-4743-8f92-7fb96d3be648
+description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
+status: experimental
+date: 2020/09/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.lateral_movement
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.t1546.003
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4624
+ LogonType: 3
+ ProcessName|endswith: 'scrcons.exe'
+ filter:
+ TargetLogonId: '0x3e7'
+ condition: selection and not filter
+falsepositives:
+ - SCCM
+level: high
\ No newline at end of file
diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml
new file mode 100644
index 00000000000..a00956dad74
--- /dev/null
+++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml
@@ -0,0 +1,25 @@
+title: Set OabVirtualDirectory ExternalUrl Property
+id: 9db37458-4df2-46a5-95ab-307e7f29e675
+description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
+author: Jose Rodriguez @Cyb3rPandaH
+status: experimental
+date: 2021/03/15
+references:
+ - https://twitter.com/OTR_Community/status/1371053369071132675
+tags:
+ - attack.persistence
+ - attack.t1505.003
+logsource:
+ product: windows
+ service: msexchange-management
+detection:
+ selection:
+ Message|contains|all:
+ - 'Set-OabVirtualDirectory'
+ - 'ExternalUrl'
+ - 'Page_Load'
+ - 'script'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml
new file mode 100644
index 00000000000..ad5a062187a
--- /dev/null
+++ b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml
@@ -0,0 +1,26 @@
+title: SMB Create Remote File Admin Share
+id: b210394c-ba12-4f89-9117-44a2464b9511
+description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
+status: experimental
+date: 2020/08/06
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+references:
+ - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
+ - https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 5145
+ ShareName|endswith: 'C$'
+ AccessMask: '0x2'
+ filter:
+ SubjectUserName|endswith: '$'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml
new file mode 100644
index 00000000000..d1c815ee103
--- /dev/null
+++ b/rules/windows/builtin/win_software_discovery.yml
@@ -0,0 +1,41 @@
+action: global
+title: Detected Windows Software Discovery
+id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
+description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+tags:
+ - attack.discovery
+ - attack.t1518
+level: medium
+falsepositives:
+ - Legitimate administration activities
+detection:
+ condition: 1 of them
+---
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
+ - 'get-itemProperty'
+ - '\software\'
+ - 'select-object'
+ - 'format-table'
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
+ CommandLine|contains|all:
+ - 'query'
+ - '\software\'
+ - '/v'
+ - 'svcversion'
diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
new file mode 100644
index 00000000000..a64133d285b
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
@@ -0,0 +1,26 @@
+title: Multiple Users Attempting To Authenticate Using Explicit Credentials
+id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
+description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID: '4648'
+ timeframe: 24h
+ condition:
+ - selection1 | count(Account_Name) by ComputerName > 10
+falsepositives:
+ - Terminal servers
+ - Jump servers
+ - Other multiuser systems like Citrix server farms
+ - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
new file mode 100644
index 00000000000..716bc8ae69b
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
@@ -0,0 +1,29 @@
+title: Multiple Users Failing to Authenticate from Single Process
+id: fe563ab6-ded4-4916-b49f-a3a8445fe280
+description: Detects failed logins with multiple accounts from a single process on the system.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID: '4625'
+ Logon_Type: '2'
+ filter:
+ Caller_Process_Name: '-'
+ timeframe: 24h
+ condition:
+ - selection1 and not filter | count(Account_Name) by Caller_Process_Name > 10
+falsepositives:
+ - Terminal servers
+ - Jump servers
+ - Other multiuser systems like Citrix server farms
+ - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
index d8727c3141c..dad0b88d82f 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
@@ -30,4 +30,4 @@ falsepositives:
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
-level: medium
+level: medium
\ No newline at end of file
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
new file mode 100644
index 00000000000..17114308a62
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
@@ -0,0 +1,30 @@
+title: Valid Users Failing to Authenticate From Single Source Using Kerberos
+id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
+description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: '4771'
+ Failure_Code: '0x18'
+ filter:
+ Account_Name: '*$'
+ timeframe: 24h
+ condition:
+ - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+ - Vulnerability scanners
+ - Missconfigured systems
+ - Remote administration tools
+ - VPN terminators
+ - Multiuser systems like Citrix server farms
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
new file mode 100644
index 00000000000..7da50919a69
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
@@ -0,0 +1,30 @@
+title: Disabled Users Failing To Authenticate From Source Using Kerberos
+id: 4b6fe998-b69c-46d8-901b-13677c9fb663
+description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: '4768'
+ Result_Code: '0x12'
+ filter:
+ Account_Name: '*$'
+ timeframe: 24h
+ condition:
+ - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+ - Vulnerability scanners
+ - Missconfigured systems
+ - Remote administration tools
+ - VPN terminators
+ - Multiuser systems like Citrix server farms
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
new file mode 100644
index 00000000000..514ec94fd29
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
@@ -0,0 +1,30 @@
+title: Invalid Users Failing To Authenticate From Source Using Kerberos
+id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
+description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: '4768'
+ Result_Code: '0x6'
+ filter:
+ Account_Name: '*$'
+ timeframe: 24h
+ condition:
+ - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+ - Vulnerability scanners
+ - Missconfigured systems
+ - Remote administration tools
+ - VPN terminators
+ - Multiuser systems like Citrix server farms
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
new file mode 100644
index 00000000000..b260bb58599
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
@@ -0,0 +1,30 @@
+title: Valid Users Failing to Authenticate from Single Source Using NTLM
+id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
+description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID: '4776'
+ action: 'failure'
+ Message: '*0xC000006A'
+ filter:
+ Logon_Account: '*$'
+ timeframe: 24h
+ condition:
+ - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10
+falsepositives:
+ - Terminal servers
+ - Jump servers
+ - Other multiuser systems like Citrix server farms
+ - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
new file mode 100644
index 00000000000..ba48c1b97b5
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
@@ -0,0 +1,30 @@
+title: Invalid Users Failing To Authenticate From Single Source Using NTLM
+id: 56d62ef8-3462-4890-9859-7b41e541f8d5
+description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID: '4776'
+ action: 'failure'
+ Message: '*0xC0000064'
+ filter:
+ Logon_Account: '*$'
+ timeframe: 24h
+ condition:
+ - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10
+falsepositives:
+ - Terminal servers
+ - Jump servers
+ - Other multiuser systems like Citrix server farms
+ - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml
new file mode 100644
index 00000000000..1f574e94299
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml
@@ -0,0 +1,29 @@
+title: Multiple Users Remotely Failing To Authenticate From Single Source
+id: add2ef8d-dc91-4002-9e7e-f2702369f53a
+description: Detects a source system failing to authenticate against a remote host with multiple users.
+author: Mauricio Velazco
+references:
+ - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+date: 2021/06/01
+tags:
+ - attack.t1110.003
+ - attack.initial_access
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID: '4625'
+ Logon_Type: '3'
+ filter:
+ Source_Network_Address: '-'
+ timeframe: 24h
+ condition:
+ - selection1 and not filter | count(Account_Name) by Source_Network_Address > 10
+falsepositives:
+ - Terminal servers
+ - Jump servers
+ - Other multiuser systems like Citrix server farms
+ - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml
index af191e20bdb..a5ebc967105 100644
--- a/rules/windows/builtin/win_susp_local_anon_logon_created.yml
+++ b/rules/windows/builtin/win_susp_local_anon_logon_created.yml
@@ -18,7 +18,9 @@ logsource:
detection:
selection:
EventID: 4720
- SAMAccountName: '*ANONYMOUS*LOGON*'
+ SAMAccountName|contains|all:
+ - 'ANONYMOUS'
+ - 'LOGON'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml
new file mode 100644
index 00000000000..142c6a7a7a8
--- /dev/null
+++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml
@@ -0,0 +1,33 @@
+title: Suspicous Remote Logon with Explicit Credentials
+id: 941e5c45-cda7-4864-8cea-bbb7458d194a
+status: experimental
+description: Detects suspicious processes logging on with explicit credentials
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
+date: 2020/10/05
+tags:
+ - attack.t1078
+ - attack.lateral_movement
+logsource:
+ product: windows
+ service: security
+ definition:
+detection:
+ selection:
+ EventID: 4648
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\pwsh.exe'
+ - '\winrs.exe'
+ - '\wmic.exe'
+ - '\net.exe'
+ - '\net1.exe'
+ - '\reg.exe'
+ filter:
+ Target_Server_Name: 'localhost'
+ condition: selection and not filter
+falsepositives:
+ - Administrators that use the RunAS command or scheduled tasks
+level: medium
diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml
index a21fdf9cf26..fef8980b1d4 100644
--- a/rules/windows/builtin/win_susp_lsass_dump.yml
+++ b/rules/windows/builtin/win_susp_lsass_dump.yml
@@ -3,6 +3,7 @@ id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
status: experimental
date: 2017/02/12
+modified: 2021/06/21
references:
- https://twitter.com/jackcr/status/807385668833968128
tags:
@@ -15,7 +16,7 @@ logsource:
detection:
selection:
EventID: 4656
- ProcessName: 'C:\Windows\System32\lsass.exe'
+ ProcessName|endswith: '\lsass.exe'
AccessMask: '0x705'
ObjectType: 'SAM_DOMAIN'
condition: selection
diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml
index 849f04541a6..afe1ef752ee 100644
--- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml
@@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask
status: experimental
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019/11/01
-modified: 2019/11/07
+modified: 2021/04/19
references:
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
@@ -40,7 +40,7 @@ detection:
AccessList|contains:
- '4484'
- '4416'
- filter:
+ filter1:
ProcessName|endswith:
- '\wmiprvse.exe'
- '\taskmgr.exe'
@@ -51,8 +51,18 @@ detection:
- '\wininit.exe'
- '\vmtoolsd.exe'
- '\minionhost.exe' # Cyberreason
- - '\VsTskMgr.exe' # McAfee Enterprise
- condition: selection_1 or selection_2 and not filter
+ - '\VsTskMgr.exe' # McAfee Enterprise
+ - '\thor64.exe' # THOR
+ ProcessName|startswith:
+ - C:\Windows\System32\
+ - C:\Windows\SysWow64\
+ - C:\Windows\SysNative\
+ - C:\Program Files\
+ - C:\Windows\Temp\asgard2-agent\
+ filter2:
+ ProcessName|startswith:
+ - 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions
+ condition: selection_1 or selection_2 and not filter1 and not filter2
fields:
- ComputerName
- SubjectDomainName
diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml
index 83b26c58d57..cac81fb5bb3 100644
--- a/rules/windows/builtin/win_susp_mshta_execution.yml
+++ b/rules/windows/builtin/win_susp_mshta_execution.yml
@@ -22,15 +22,15 @@ falsepositives:
level: high
detection:
selection1:
- Image: '*\mshta.exe'
- CommandLine:
- - '*vbscript*'
- - '*.jpg*'
- - '*.png*'
- - '*.lnk*'
- # - '*.chm*' # could be prone to false positives
- - '*.xls*'
- - '*.doc*'
- - '*.zip*'
+ Image|endswith: '\mshta.exe'
+ CommandLine|contains:
+ - 'vbscript'
+ - '.jpg'
+ - '.png'
+ - '.lnk'
+ # - '.chm' # could be prone to false positives
+ - '.xls'
+ - '.doc'
+ - '.zip'
condition:
selection1
diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml
index a33b528423d..15b527e734c 100644
--- a/rules/windows/builtin/win_susp_msmpeng_crash.yml
+++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml
@@ -23,10 +23,10 @@ detection:
Source: 'Windows Error Reporting'
EventID: 1001
keywords:
- Message:
- - '*MsMpEng.exe*'
- - '*mpengine.dll*'
- condition: 1 of selection* and all of keywords
+ Message|contains:
+ - 'MsMpEng.exe'
+ - 'mpengine.dll'
+ condition: 1 of selection* and keywords
falsepositives:
- MsMpEng.exe can crash when C:\ is full
level: high
diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml
index c6a7653af9c..3fa6129992c 100644
--- a/rules/windows/builtin/win_susp_net_recon_activity.yml
+++ b/rules/windows/builtin/win_susp_net_recon_activity.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
-author: Florian Roth (rule), Jack Croock (method)
+author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017/03/07
modified: 2020/08/23
tags:
@@ -20,15 +20,17 @@ logsource:
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
- - EventID: 4661
- ObjectType: 'SAM_USER'
- ObjectName: 'S-1-5-21-*-500'
+ EventID: 4661
+ ObjectType:
+ - 'SAM_USER'
+ - 'SAM_GROUP'
+ ObjectName|startswith: 'S-1-5-21-'
AccessMask: '0x2d'
- - EventID: 4661
- ObjectType: 'SAM_GROUP'
- ObjectName: 'S-1-5-21-*-512'
- AccessMask: '0x2d'
- condition: selection
+ selection2:
+ ObjectName|endswith:
+ - '-500'
+ - '-512'
+ condition: selection and selection2
falsepositives:
- Administrator activity
- Penetration tests
diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml
index 81aa4bf6ab1..f9e9df5a2f7 100644
--- a/rules/windows/builtin/win_susp_ntlm_auth.yml
+++ b/rules/windows/builtin/win_susp_ntlm_auth.yml
@@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: ntlm
- definition: Reqiures events from Microsoft-Windows-NTLM/Operational
+ definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8002
diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/builtin/win_susp_ntlm_rdp.yml
index bed9e568ac1..96e1d00a845 100644
--- a/rules/windows/builtin/win_susp_ntlm_rdp.yml
+++ b/rules/windows/builtin/win_susp_ntlm_rdp.yml
@@ -16,7 +16,7 @@ logsource:
detection:
selection:
EventID: 8001
- TargetName: TERMSRV*
+ TargetName|startswith: TERMSRV
condition: selection
fields:
- Computer
diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml
new file mode 100644
index 00000000000..e67638118f3
--- /dev/null
+++ b/rules/windows/builtin/win_susp_proceshacker.yml
@@ -0,0 +1,24 @@
+title: ProcessHacker Privilege Elevation
+id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
+description: Detects a ProcessHacker tool that elevated privileges to a very high level
+references:
+ - https://twitter.com/1kwpeter/status/1397816101455765504
+author: Florian Roth
+date: 2021/05/27
+tags:
+ - attack.execution
+ - attack.privilege_escalation
+ - attack.t1543.003
+ - attack.t1569.002
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+ ServiceName|startswith: 'ProcessHacker'
+ AccountName: 'LocalSystem'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml
index 84d8da0e77c..f64f235f7c3 100644
--- a/rules/windows/builtin/win_susp_psexec.yml
+++ b/rules/windows/builtin/win_susp_psexec.yml
@@ -17,14 +17,14 @@ detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
- RelativeTargetName:
- - '*-stdin'
- - '*-stdout'
- - '*-stderr'
+ RelativeTargetName|endswith:
+ - '-stdin'
+ - '-stdout'
+ - '-stderr'
selection2:
EventID: 5145
ShareName: \\*\IPC$
- RelativeTargetName: 'PSEXESVC*'
+ RelativeTargetName|startswith: 'PSEXESVC'
condition: selection1 and not selection2
falsepositives:
- nothing observed so far
diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
index 16114b2be9e..66caa1f785a 100644
--- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
+++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
@@ -14,19 +14,19 @@ detection:
selection:
EventID:
- 5145
- RelativeTargetName:
- - '*.pst'
- - '*.ost'
- - '*.msg'
- - '*.nst'
- - '*.oab'
- - '*.edb'
- - '*.nsf'
- - '*.bak'
- - '*.dmp'
- - '*.kirbi'
- - '*\groups.xml'
- - '*.rdp'
+ RelativeTargetName|endswith:
+ - '.pst'
+ - '.ost'
+ - '.msg'
+ - '.nst'
+ - '.oab'
+ - '.edb'
+ - '.nsf'
+ - '.bak'
+ - '.dmp'
+ - '.kirbi'
+ - '\groups.xml'
+ - '.rdp'
condition: selection
fields:
- ComputerName
diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml
index 41a25dc7212..496ed152482 100644
--- a/rules/windows/builtin/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml
@@ -20,7 +20,7 @@ detection:
TicketOptions: '0x40810000'
TicketEncryptionType: '0x17'
reduction:
- - ServiceName: '$*'
+ - ServiceName|startswith: '$'
condition: selection and not reduction
falsepositives:
- Service accounts used on legacy systems (e.g. NetApp)
diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml
index 7c0894b6b1a..d014cb46e37 100644
--- a/rules/windows/builtin/win_susp_sam_dump.yml
+++ b/rules/windows/builtin/win_susp_sam_dump.yml
@@ -15,8 +15,9 @@ logsource:
detection:
selection:
EventID: 16
- Message:
- - '*\AppData\Local\Temp\SAM-*.dmp *'
+ Message|contains|all:
+ - '\AppData\Local\Temp\SAM-'
+ - '.dmp'
condition: selection
falsepositives:
- Penetration testing
diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml
index 5bb8bd70008..558a109e19d 100644
--- a/rules/windows/builtin/win_susp_sdelete.yml
+++ b/rules/windows/builtin/win_susp_sdelete.yml
@@ -28,9 +28,9 @@ detection:
- 4656
- 4663
- 4658
- ObjectName:
- - '*.AAA'
- - '*.ZZZ'
+ ObjectName|endswith:
+ - '.AAA'
+ - '.ZZZ'
condition: selection
falsepositives:
- Legitime usage of SDelete
diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml
index 01e9a7584a7..360e1a87293 100644
--- a/rules/windows/builtin/win_susp_time_modification.yml
+++ b/rules/windows/builtin/win_susp_time_modification.yml
@@ -6,6 +6,7 @@ author: '@neu5ron'
references:
- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
- Live environment caused by malware
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
date: 2019/02/05
modified: 2020/01/27
tags:
diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml
index e9627a54e27..98835de023f 100644
--- a/rules/windows/builtin/win_susp_wmi_login.yml
+++ b/rules/windows/builtin/win_susp_wmi_login.yml
@@ -13,7 +13,7 @@ logsource:
detection:
selection:
EventID: 4624
- ProcessName: "*\\WmiPrvSE.exe"
+ ProcessName|endswith: '\WmiPrvSE.exe'
condition: selection
falsepositives:
- Monitoring tools
diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
index c975f68f724..6b172fb38ee 100644
--- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
+++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
@@ -3,7 +3,7 @@ id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- - https://github.com/GhostPack/Rubeus8
+ - https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2019/11/13
diff --git a/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml b/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml
new file mode 100644
index 00000000000..ea907d4f1f5
--- /dev/null
+++ b/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml
@@ -0,0 +1,44 @@
+title: Suspicious Werfault.exe Network Connection Outbound
+id: e12c75f2-d09e-43f6-90e4-6a23842907af
+status: experimental
+description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.
+references:
+ - https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
+author: Sreeman
+date: 2021/03/09
+modified: 2021/06/11
+tags:
+ - attack.command_and_control
+ - attack.t1571
+logsource:
+ product: windows
+ category: network_connection
+detection:
+ selection:
+ Image: 'werfault.exe'
+ filter1:
+ ParentImage: 'svchost.exe'
+ filter2:
+ DestinationIp:
+ - '104.42.151.234'
+ - '104.43.193.48'
+ - '52.255.188.83'
+ - '13.64.90.137'
+ - '168.61.161.212'
+ - '13.88.21.125'
+ - '40.88.32.150'
+ - '52.147.198.201'
+ - '52.239.207.100'
+ - '52.176.224.96'
+ - '2607:7700:0:24:0:1:287e:1894'
+ - '10.*'
+ - '192.168.*'
+ - '127.*'
+ filter3:
+ DestinationHostname|contains:
+ - '*.windowsupdate.com'
+ - '*.microsoft.com'
+ condition: selection and not ( filter1 and filter2 and filter3 )
+falsepositives:
+ - Communication to other corporate systems that use IP addresses from public address spaces and Microsoft IP spaces
+level: medium
\ No newline at end of file
diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml
index bd8939a6589..be19e9ffbcd 100644
--- a/rules/windows/builtin/win_svcctl_remote_service.yml
+++ b/rules/windows/builtin/win_svcctl_remote_service.yml
@@ -19,7 +19,7 @@ detection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: svcctl
- Accesses: '*WriteData*'
+ Accesses|contains: 'WriteData'
condition: selection
falsepositives:
- pentesting
diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml
index ff56999a5e3..0c36525b122 100644
--- a/rules/windows/builtin/win_syskey_registry_access.yml
+++ b/rules/windows/builtin/win_syskey_registry_access.yml
@@ -6,7 +6,7 @@ date: 2019/08/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md
+ - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html
tags:
- attack.discovery
- attack.t1012
@@ -27,4 +27,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml
new file mode 100644
index 00000000000..040fe5a60f1
--- /dev/null
+++ b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml
@@ -0,0 +1,35 @@
+title: Sysmon Channel Reference Deletion
+id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
+status: experimental
+description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
+references:
+ - https://twitter.com/Flangvik/status/1283054508084473861
+ - https://twitter.com/SecurityJosh/status/1283027365770276866
+ - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
+ - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/07/14
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID: 4657
+ ObjectName|contains:
+ - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
+ - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
+ ObjectValueName: 'Enabled'
+ NewValue: '0'
+ selection2:
+ EventID: 4663
+ ObjectName|contains:
+ - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
+ - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
+ AccessMask: 0x10000
+ condition: selection1 or selection2
+falsepositives:
+ - unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml
index 42d05509bab..a5baba352f8 100644
--- a/rules/windows/builtin/win_tap_driver_installation.yml
+++ b/rules/windows/builtin/win_tap_driver_installation.yml
@@ -12,9 +12,9 @@ falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
detection:
- selection_1:
+ selection:
ImagePath|contains: 'tap0901'
- condition: selection and selection_1
+ condition: selection
---
logsource:
product: windows
@@ -25,14 +25,11 @@ detection:
---
logsource:
product: windows
- service: sysmon
+ category: driver_load
+---
+logsource:
+ product: windows
+ service: security
detection:
selection:
- EventID: 6
----
- logsource:
- product: windows
- service: security
- detection:
- selection:
- EventID: 4697
+ EventID: 4697
diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml
index 418b2bb86d9..0443447e998 100644
--- a/rules/windows/builtin/win_user_added_to_local_administrators.yml
+++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml
@@ -22,7 +22,7 @@ detection:
selection_group2:
GroupSid: 'S-1-5-32-544'
filter:
- SubjectUserName: '*$'
+ SubjectUserName|endswith: '$'
condition: selection and (1 of selection_group*) and not filter
falsepositives:
- Legitimate administrative activity
diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml
index 5abc45e1fd1..7d163008951 100644
--- a/rules/windows/builtin/win_user_driver_loaded.yml
+++ b/rules/windows/builtin/win_user_driver_loaded.yml
@@ -20,19 +20,19 @@ detection:
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
selection_2:
- ProcessName|contains:
- - '*\Windows\System32\Dism.exe'
- - '*\Windows\System32\rundll32.exe'
- - '*\Windows\System32\fltMC.exe'
- - '*\Windows\HelpPane.exe'
- - '*\Windows\System32\mmc.exe'
- - '*\Windows\System32\svchost.exe'
- - '*\Windows\System32\wimserv.exe'
- - '*\procexp64.exe'
- - '*\procexp.exe'
- - '*\procmon64.exe'
- - '*\procmon.exe'
- - '*\Google\Chrome\Application\chrome.exe'
+ ProcessName|endswith:
+ - '\Windows\System32\Dism.exe'
+ - '\Windows\System32\rundll32.exe'
+ - '\Windows\System32\fltMC.exe'
+ - '\Windows\HelpPane.exe'
+ - '\Windows\System32\mmc.exe'
+ - '\Windows\System32\svchost.exe'
+ - '\Windows\System32\wimserv.exe'
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
+ - '\Google\Chrome\Application\chrome.exe'
condition: selection_1 and not selection_2
falsepositives:
- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'
diff --git a/rules/windows/builtin/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/win_volume_shadow_copy_mount.yml
new file mode 100644
index 00000000000..c7400389a11
--- /dev/null
+++ b/rules/windows/builtin/win_volume_shadow_copy_mount.yml
@@ -0,0 +1,23 @@
+title: Volume Shadow Copy Mount
+id: f512acbf-e662-4903-843e-97ce4652b740
+description: Detects volume shadow copy mount
+status: experimental
+date: 2020/10/20
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+tags:
+ - attack.credential_access
+ - attack.t1003.002
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ Source: Microsoft-Windows-Ntfs
+ EventID: 98
+ DeviceName|contains: HarddiskVolumeShadowCopy
+ condition: selection
+falsepositives:
+ - Legitimate use of volume shadow copy mounts (backups maybe).
+level: medium
\ No newline at end of file
diff --git a/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml
new file mode 100644
index 00000000000..9216aad0a31
--- /dev/null
+++ b/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml
@@ -0,0 +1,25 @@
+title: VSSAudit Security Event Source Registration
+id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b
+description: Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
+status: experimental
+date: 2020/10/20
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+tags:
+ - attack.credential_access
+ - attack.t1003.002
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_one:
+ EventID: 4904
+ AuditSourceName: VSSAudit
+ selection_two:
+ EventID: 4905
+ AuditSourceName: VSSAudit
+ condition: selection_one or selection_two
+falsepositives:
+ - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.
+level: medium
\ No newline at end of file
diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml
index 38b8e95e69a..51a0902c7cd 100644
--- a/rules/windows/builtin/win_vul_cve_2020_0688.yml
+++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml
@@ -4,8 +4,10 @@ status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
-author: Florian Roth
+ - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
+author: Florian Roth, wagga
date: 2020/02/29
+modified: 2021/06/27
tags:
- attack.initial_access
- attack.t1190
@@ -18,7 +20,8 @@ detection:
Source: MSExchange Control Panel
Level: Error
selection2:
- - '*&__VIEWSTATE=*'
+ Message|contains:
+ - '&__VIEWSTATE='
condition: selection1 and selection2
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000000..83bf381a1d0
--- /dev/null
+++ b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,26 @@
+title: T1047 Wmiprvse Wbemcomn DLL Hijack
+id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
+status: experimental
+date: 2020/10/12
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+tags:
+ - attack.execution
+ - attack.t1047
+ - attack.lateral_movement
+ - attack.t1021.002
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 5145
+ RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
+ filter:
+ SubjectUserName|endswith: '$'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml
similarity index 74%
rename from rules/windows/sysmon/sysmon_cactustorch.yml
rename to rules/windows/create_remote_thread/sysmon_cactustorch.yml
index 9b8b5ec9504..1bd0ff71fca 100644
--- a/rules/windows/sysmon/sysmon_cactustorch.yml
+++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml
@@ -10,17 +10,17 @@ date: 2019/02/01
modified: 2020/08/28
logsource:
product: windows
- service: sysmon
+ category: create_remote_thread
detection:
selection:
EventID: 8
- SourceImage:
- - '*\System32\cscript.exe'
- - '*\System32\wscript.exe'
- - '*\System32\mshta.exe'
- - '*\winword.exe'
- - '*\excel.exe'
- TargetImage: '*\SysWOW64\\*'
+ SourceImage|endswith:
+ - '\System32\cscript.exe'
+ - '\System32\wscript.exe'
+ - '\System32\mshta.exe'
+ - '\winword.exe'
+ - '\excel.exe'
+ TargetImage|contains: '\SysWOW64\'
StartModule: null
condition: selection
tags:
diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
similarity index 95%
rename from rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
rename to rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
index e2b972247d3..fb0e4c916c4 100644
--- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
+++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
@@ -14,10 +14,9 @@ date: 2018/11/30
modified: 2020/08/28
logsource:
product: windows
- service: sysmon
+ category: create_remote_thread
detection:
selection:
- EventID: 8
TargetProcessAddress|endswith:
- '0B80'
- '0C7C'
diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
similarity index 74%
rename from rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml
rename to rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
index bf831b3263a..30b3da1b262 100644
--- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml
+++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
@@ -6,17 +6,16 @@ date: 2019/08/11
modified: 2020/08/28
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
+ - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
tags:
- attack.defense_evasion
- attack.t1055 # an old one
- attack.t1055.001
logsource:
product: windows
- service: sysmon
+ category: create_remote_thread
detection:
selection:
- EventID: 8
StartModule|endswith: '\kernel32.dll'
StartFunction: 'LoadLibraryA'
condition: selection
diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml
similarity index 85%
rename from rules/windows/sysmon/sysmon_password_dumper_lsass.yml
rename to rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml
index a8d8db9b77b..fbdb2e0812f 100644
--- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
+++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml
@@ -6,13 +6,13 @@ references:
status: stable
author: Thomas Patzke
date: 2017/02/19
+modified: 2021/06/21
logsource:
product: windows
- service: sysmon
+ category: create_remote_thread
detection:
selection:
- EventID: 8
- TargetImage: 'C:\Windows\System32\lsass.exe'
+ TargetImage|endswith: '\lsass.exe'
StartModule: ''
condition: selection
tags:
@@ -21,5 +21,5 @@ tags:
- attack.s0005
- attack.t1003.001
falsepositives:
- - unknown
+ - Antivirus products
level: high
diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml
similarity index 83%
rename from rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
rename to rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml
index c5d046bfc3b..d1262e1f7c3 100644
--- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
+++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml
@@ -8,12 +8,12 @@ references:
date: 2018/06/25
logsource:
product: windows
- service: sysmon
+ category: create_remote_thread
detection:
selection:
EventID: 8
- SourceImage: '*\powershell.exe'
- TargetImage: '*\rundll32.exe'
+ SourceImage|endswith: '\powershell.exe'
+ TargetImage|endswith: '\rundll32.exe'
condition: selection
tags:
- attack.defense_evasion
diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
similarity index 96%
rename from rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
rename to rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
index fe2dee61a4e..e8bf963f896 100644
--- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
+++ b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
@@ -7,21 +7,20 @@ notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 2019/10/27
-modified: 2020/08/28
+modified: 2021/06/27
author: Perez Diego (@darkquassar), oscd.community
references:
- Personal research, statistical analysis
- https://lolbas-project.github.io
logsource:
product: windows
- service: sysmon
+ category: create_remote_thread
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055
detection:
selection:
- EventID: 8
SourceImage|endswith:
- '\bash.exe'
- '\cvtres.exe'
@@ -65,7 +64,7 @@ detection:
- '\userinit.exe'
- '\vssadmin.exe'
- '\vssvc.exe'
- - '\w3wp.exe*'
+ - '\w3wp.exe'
- '\winlogon.exe'
- '\winscp.exe'
- '\wmic.exe'
diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml
similarity index 88%
rename from rules/windows/sysmon/sysmon_ads_executable.yml
rename to rules/windows/create_stream_hash/sysmon_ads_executable.yml
index 7eaed87c756..5a09953059e 100644
--- a/rules/windows/sysmon/sysmon_ads_executable.yml
+++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml
@@ -14,16 +14,14 @@ date: 2018/06/03
modified: 2020/08/26
logsource:
product: windows
- service: sysmon
+ category: create_stream_hash
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
- selection:
- EventID: 15
filter1:
Imphash: '00000000000000000000000000000000'
filter2:
Imphash: null
- condition: selection and not 1 of filter*
+ condition: not 1 of filter*
fields:
- TargetFilename
- Image
diff --git a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml
new file mode 100644
index 00000000000..34652dad4e0
--- /dev/null
+++ b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml
@@ -0,0 +1,24 @@
+title: Exports Registry Key To an Alternate Data Stream
+id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
+status: experimental
+description: Exports the target Registry key and hides it in the specified alternate data stream.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.defense_evasion
+ - attack.t1564.004
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+ product: windows
+ category: create_stream_hash
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ condition: selection
+fields:
+ - TargetFilename
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
index 55062f2fbe8..d94967e9512 100644
--- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
+++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
@@ -13,13 +13,13 @@ tags:
- car.2019-04-004
author: Sherif Eldeeb
date: 2017/10/18
+modified: 2021/06/21
logsource:
product: windows
- service: sysmon
+ category: process_access
detection:
selection:
- EventID: 10
- TargetImage: 'C:\windows\system32\lsass.exe'
+ TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1410'
- '0x1010'
diff --git a/rules/windows/dns_query/dns_mega_nz.yml b/rules/windows/dns_query/dns_mega_nz.yml
new file mode 100644
index 00000000000..dee549f288b
--- /dev/null
+++ b/rules/windows/dns_query/dns_mega_nz.yml
@@ -0,0 +1,22 @@
+title: DNS Query for MEGA.io Upload Domain
+id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
+description: Detects DNS queries for subdomains used for upload to MEGA.io
+status: experimental
+date: 2021/05/26
+author: Aaron Greetham (@beardofbinary) - NCC Group
+references:
+ - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+tags:
+ - attack.exfiltration
+ - attack.t1567.002
+falsepositives:
+ - Legitimate Mega upload
+level: high
+logsource:
+ product: windows
+ category: dns_query
+detection:
+ dns_request:
+ EventID: 22
+ QueryName|contains: userstorage.mega.co.nz
+ condition: dns_request
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml
similarity index 97%
rename from rules/windows/sysmon/sysmon_possible_dns_rebinding.yml
rename to rules/windows/dns_query/sysmon_possible_dns_rebinding.yml
index 5284ec12547..bf301a32abf 100644
--- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml
+++ b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml
@@ -12,10 +12,9 @@ tags:
- attack.t1189
logsource:
product: windows
- service: sysmon
+ category: dns_query
detection:
dns_answer:
- EventID: 22
QueryName: '*'
QueryStatus: '0'
filter_int_ip:
diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml
index 009665b7556..083b9f7f596 100755
--- a/rules/windows/driver_load/sysmon_susp_driver_load.yml
+++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml
@@ -13,9 +13,9 @@ logsource:
category: driver_load
product: windows
detection:
- selection:
- ImageLoaded: '*\Temp\\*'
+ selection:
+ ImageLoaded|contains: '\Temp\'
condition: selection
falsepositives:
- there is a relevant set of false positives depending on applications in the environment
-level: medium
+level: high
diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml
new file mode 100644
index 00000000000..39517aa8bf1
--- /dev/null
+++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml
@@ -0,0 +1,30 @@
+title: Vulnerable Dell BIOS Update Driver Load
+id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
+description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
+author: Florian Roth
+date: 2021/05/05
+references:
+ - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
+logsource:
+ category: driver_load
+ product: windows
+tags:
+ - cve.2021-21551
+detection:
+ selection_image:
+ ImageLoaded|contains: '\DBUtil_2_3.Sys'
+ selection_hash:
+ Hashes|contains:
+ - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
+ - 'c948ae14761095e4d76b55d9de86412258be7afd'
+ - 'c996d7971c49252c582171d9380360f2'
+ - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
+ - '10b30bdee43b3a2ec4aa63375577ade650269d25'
+ - 'd2fd132ab7bbc6bbb87a84f026fa0244'
+
+
+
+ condition: selection_image or selection_hash
+falsepositives:
+ - legitimate BIOS driver updates (should be rare)
+level: high
diff --git a/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
new file mode 100644
index 00000000000..f376c51dbd4
--- /dev/null
+++ b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
@@ -0,0 +1,24 @@
+title: Sysinternals SDelete File Deletion
+id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
+description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/9
+ - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+logsource:
+ product: windows
+ category: file_delete
+detection:
+ selection:
+ TargetFilename|endswith:
+ - '.AAA'
+ - '.ZZZ'
+ condition: selection
+falsepositives:
+ - Legitime usage of SDelete
+level: medium
\ No newline at end of file
diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml
index bd723e0e88c..7406f4e73b0 100755
--- a/rules/windows/file_event/sysmon_creation_system_file.yml
+++ b/rules/windows/file_event/sysmon_creation_system_file.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects the creation of a executable with a system process name in a suspicious folder
author: Sander Wiebing
date: 2020/05/26
-modified: 2020/08/23
+modified: 2021/05/16
tags:
- attack.defense_evasion
- attack.t1036 # an old one
@@ -14,40 +14,42 @@ logsource:
product: windows
detection:
selection:
- TargetFilename:
- - '*\svchost.exe'
- - '*\rundll32.exe'
- - '*\services.exe'
- - '*\powershell.exe'
- - '*\regsvr32.exe'
- - '*\spoolsv.exe'
- - '*\lsass.exe'
- - '*\smss.exe'
- - '*\csrss.exe'
- - '*\conhost.exe'
- - '*\wininit.exe'
- - '*\lsm.exe'
- - '*\winlogon.exe'
- - '*\explorer.exe'
- - '*\taskhost.exe'
- - '*\Taskmgr.exe'
- - '*\taskmgr.exe'
- - '*\sihost.exe'
- - '*\RuntimeBroker.exe'
- - '*\runtimebroker.exe'
- - '*\smartscreen.exe'
- - '*\dllhost.exe'
- - '*\audiodg.exe'
- - '*\wlanext.exe'
+ TargetFilename|endswith:
+ - '\svchost.exe'
+ - '\rundll32.exe'
+ - '\services.exe'
+ - '\powershell.exe'
+ - '\regsvr32.exe'
+ - '\spoolsv.exe'
+ - '\lsass.exe'
+ - '\smss.exe'
+ - '\csrss.exe'
+ - '\conhost.exe'
+ - '\wininit.exe'
+ - '\lsm.exe'
+ - '\winlogon.exe'
+ - '\explorer.exe'
+ - '\taskhost.exe'
+ - '\Taskmgr.exe'
+ - '\taskmgr.exe'
+ - '\sihost.exe'
+ - '\RuntimeBroker.exe'
+ - '\runtimebroker.exe'
+ - '\smartscreen.exe'
+ - '\dllhost.exe'
+ - '\audiodg.exe'
+ - '\wlanext.exe'
filter:
- TargetFilename:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\system32\\*'
- - 'C:\Windows\SysWow64\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\winsxs\\*'
- - 'C:\Windows\WinSxS\\*'
- - '\SystemRoot\System32\\*'
+ TargetFilename|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\system32\'
+ - 'C:\Windows\SysWow64\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\winsxs\'
+ - 'C:\Windows\WinSxS\'
+ - '\SystemRoot\System32\'
+ Image|endswith:
+ - '\Windows\System32\dism.exe'
condition: selection and not filter
fields:
- Image
diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
index a820590241f..3019ca4204a 100755
--- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
+++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
@@ -16,7 +16,7 @@ logsource:
product: windows
detection:
selection:
- TargetFilename: '*\Temp\debug.bin'
+ TargetFilename|endswith: '\Temp\debug.bin'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
new file mode 100644
index 00000000000..b7440b4b664
--- /dev/null
+++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
@@ -0,0 +1,31 @@
+title: Files Dropped to Program Files by Non-Priviledged Process
+id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1
+description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/17
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg
+tags:
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1574
+ - attack.t1574.010
+logsource:
+ category: file_event
+ product: windows
+detection:
+ integrity:
+ IntegrityLevel: 'Medium'
+ program_files:
+ - TargetFilename|contains:
+ - '\Program Files\'
+ - '\Program Files (x86)\'
+ windows:
+ TargetFilename|startswith: '\Windows\'
+ temp:
+ TargetFilename|contains: 'temp'
+ condition: integrity and (program_files or windows and not temp)
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/file_event/sysmon_outlook_newform.yml b/rules/windows/file_event/sysmon_outlook_newform.yml
new file mode 100644
index 00000000000..0ee7b8be522
--- /dev/null
+++ b/rules/windows/file_event/sysmon_outlook_newform.yml
@@ -0,0 +1,24 @@
+title: Outlook Form Installation
+id: c3edc6a5-d9d4-48d8-930e-aab518390917
+status: experimental
+description: Detects the creation of new Outlook form which can contain malicious code
+references:
+ - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+tags:
+ - attack.persistence
+ - attack.t1137.003
+author: Tobias Michalski
+date: 2021/06/10
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ Image: '\outlook.exe'
+ TargetFilename|contains: '\appdata\local\microsoft\FORMS\'
+ condition: selection
+fields:
+ - TargetFilename
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml
new file mode 100644
index 00000000000..f45d3e393bc
--- /dev/null
+++ b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml
@@ -0,0 +1,23 @@
+title: PCRE.NET Package Temp Files
+id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
+description: Detects processes creating temp files related to PCRE.NET package
+status: experimental
+date: 2020/10/29
+modified: 2021/05/21
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1059
+references:
+ - https://twitter.com/rbmaslen/status/1321859647091970051
+ - https://twitter.com/tifkin_/status/1321916444557365248
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ - TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
index 7ca77418757..e446c5307a8 100755
--- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
+++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
@@ -15,102 +15,102 @@ logsource:
product: windows
detection:
selection:
- TargetFilename:
- - '*\Invoke-DllInjection.ps1'
- - '*\Invoke-WmiCommand.ps1'
- - '*\Get-GPPPassword.ps1'
- - '*\Get-Keystrokes.ps1'
- - '*\Get-VaultCredential.ps1'
- - '*\Invoke-CredentialInjection.ps1'
- - '*\Invoke-Mimikatz.ps1'
- - '*\Invoke-NinjaCopy.ps1'
- - '*\Invoke-TokenManipulation.ps1'
- - '*\Out-Minidump.ps1'
- - '*\VolumeShadowCopyTools.ps1'
- - '*\Invoke-ReflectivePEInjection.ps1'
- - '*\Get-TimedScreenshot.ps1'
- - '*\Invoke-UserHunter.ps1'
- - '*\Find-GPOLocation.ps1'
- - '*\Invoke-ACLScanner.ps1'
- - '*\Invoke-DowngradeAccount.ps1'
- - '*\Get-ServiceUnquoted.ps1'
- - '*\Get-ServiceFilePermission.ps1'
- - '*\Get-ServicePermission.ps1'
- - '*\Invoke-ServiceAbuse.ps1'
- - '*\Install-ServiceBinary.ps1'
- - '*\Get-RegAutoLogon.ps1'
- - '*\Get-VulnAutoRun.ps1'
- - '*\Get-VulnSchTask.ps1'
- - '*\Get-UnattendedInstallFile.ps1'
- - '*\Get-WebConfig.ps1'
- - '*\Get-ApplicationHost.ps1'
- - '*\Get-RegAlwaysInstallElevated.ps1'
- - '*\Get-Unconstrained.ps1'
- - '*\Add-RegBackdoor.ps1'
- - '*\Add-ScrnSaveBackdoor.ps1'
- - '*\Gupt-Backdoor.ps1'
- - '*\Invoke-ADSBackdoor.ps1'
- - '*\Enabled-DuplicateToken.ps1'
- - '*\Invoke-PsUaCme.ps1'
- - '*\Remove-Update.ps1'
- - '*\Check-VM.ps1'
- - '*\Get-LSASecret.ps1'
- - '*\Get-PassHashes.ps1'
- - '*\Show-TargetScreen.ps1'
- - '*\Port-Scan.ps1'
- - '*\Invoke-PoshRatHttp.ps1'
- - '*\Invoke-PowerShellTCP.ps1'
- - '*\Invoke-PowerShellWMI.ps1'
- - '*\Add-Exfiltration.ps1'
- - '*\Add-Persistence.ps1'
- - '*\Do-Exfiltration.ps1'
- - '*\Start-CaptureServer.ps1'
- - '*\Invoke-ShellCode.ps1'
- - '*\Get-ChromeDump.ps1'
- - '*\Get-ClipboardContents.ps1'
- - '*\Get-FoxDump.ps1'
- - '*\Get-IndexedItem.ps1'
- - '*\Get-Screenshot.ps1'
- - '*\Invoke-Inveigh.ps1'
- - '*\Invoke-NetRipper.ps1'
- - '*\Invoke-EgressCheck.ps1'
- - '*\Invoke-PostExfil.ps1'
- - '*\Invoke-PSInject.ps1'
- - '*\Invoke-RunAs.ps1'
- - '*\MailRaider.ps1'
- - '*\New-HoneyHash.ps1'
- - '*\Set-MacAttribute.ps1'
- - '*\Invoke-DCSync.ps1'
- - '*\Invoke-PowerDump.ps1'
- - '*\Exploit-Jboss.ps1'
- - '*\Invoke-ThunderStruck.ps1'
- - '*\Invoke-VoiceTroll.ps1'
- - '*\Set-Wallpaper.ps1'
- - '*\Invoke-InveighRelay.ps1'
- - '*\Invoke-PsExec.ps1'
- - '*\Invoke-SSHCommand.ps1'
- - '*\Get-SecurityPackages.ps1'
- - '*\Install-SSP.ps1'
- - '*\Invoke-BackdoorLNK.ps1'
- - '*\PowerBreach.ps1'
- - '*\Get-SiteListPassword.ps1'
- - '*\Get-System.ps1'
- - '*\Invoke-BypassUAC.ps1'
- - '*\Invoke-Tater.ps1'
- - '*\Invoke-WScriptBypassUAC.ps1'
- - '*\PowerUp.ps1'
- - '*\PowerView.ps1'
- - '*\Get-RickAstley.ps1'
- - '*\Find-Fruit.ps1'
- - '*\HTTP-Login.ps1'
- - '*\Find-TrustedDocuments.ps1'
- - '*\Invoke-Paranoia.ps1'
- - '*\Invoke-WinEnum.ps1'
- - '*\Invoke-ARPScan.ps1'
- - '*\Invoke-PortScan.ps1'
- - '*\Invoke-ReverseDNSLookup.ps1'
- - '*\Invoke-SMBScanner.ps1'
- - '*\Invoke-Mimikittenz.ps1'
+ TargetFilename|endswith:
+ - '\Invoke-DllInjection.ps1'
+ - '\Invoke-WmiCommand.ps1'
+ - '\Get-GPPPassword.ps1'
+ - '\Get-Keystrokes.ps1'
+ - '\Get-VaultCredential.ps1'
+ - '\Invoke-CredentialInjection.ps1'
+ - '\Invoke-Mimikatz.ps1'
+ - '\Invoke-NinjaCopy.ps1'
+ - '\Invoke-TokenManipulation.ps1'
+ - '\Out-Minidump.ps1'
+ - '\VolumeShadowCopyTools.ps1'
+ - '\Invoke-ReflectivePEInjection.ps1'
+ - '\Get-TimedScreenshot.ps1'
+ - '\Invoke-UserHunter.ps1'
+ - '\Find-GPOLocation.ps1'
+ - '\Invoke-ACLScanner.ps1'
+ - '\Invoke-DowngradeAccount.ps1'
+ - '\Get-ServiceUnquoted.ps1'
+ - '\Get-ServiceFilePermission.ps1'
+ - '\Get-ServicePermission.ps1'
+ - '\Invoke-ServiceAbuse.ps1'
+ - '\Install-ServiceBinary.ps1'
+ - '\Get-RegAutoLogon.ps1'
+ - '\Get-VulnAutoRun.ps1'
+ - '\Get-VulnSchTask.ps1'
+ - '\Get-UnattendedInstallFile.ps1'
+ - '\Get-WebConfig.ps1'
+ - '\Get-ApplicationHost.ps1'
+ - '\Get-RegAlwaysInstallElevated.ps1'
+ - '\Get-Unconstrained.ps1'
+ - '\Add-RegBackdoor.ps1'
+ - '\Add-ScrnSaveBackdoor.ps1'
+ - '\Gupt-Backdoor.ps1'
+ - '\Invoke-ADSBackdoor.ps1'
+ - '\Enabled-DuplicateToken.ps1'
+ - '\Invoke-PsUaCme.ps1'
+ - '\Remove-Update.ps1'
+ - '\Check-VM.ps1'
+ - '\Get-LSASecret.ps1'
+ - '\Get-PassHashes.ps1'
+ - '\Show-TargetScreen.ps1'
+ - '\Port-Scan.ps1'
+ - '\Invoke-PoshRatHttp.ps1'
+ - '\Invoke-PowerShellTCP.ps1'
+ - '\Invoke-PowerShellWMI.ps1'
+ - '\Add-Exfiltration.ps1'
+ - '\Add-Persistence.ps1'
+ - '\Do-Exfiltration.ps1'
+ - '\Start-CaptureServer.ps1'
+ - '\Invoke-ShellCode.ps1'
+ - '\Get-ChromeDump.ps1'
+ - '\Get-ClipboardContents.ps1'
+ - '\Get-FoxDump.ps1'
+ - '\Get-IndexedItem.ps1'
+ - '\Get-Screenshot.ps1'
+ - '\Invoke-Inveigh.ps1'
+ - '\Invoke-NetRipper.ps1'
+ - '\Invoke-EgressCheck.ps1'
+ - '\Invoke-PostExfil.ps1'
+ - '\Invoke-PSInject.ps1'
+ - '\Invoke-RunAs.ps1'
+ - '\MailRaider.ps1'
+ - '\New-HoneyHash.ps1'
+ - '\Set-MacAttribute.ps1'
+ - '\Invoke-DCSync.ps1'
+ - '\Invoke-PowerDump.ps1'
+ - '\Exploit-Jboss.ps1'
+ - '\Invoke-ThunderStruck.ps1'
+ - '\Invoke-VoiceTroll.ps1'
+ - '\Set-Wallpaper.ps1'
+ - '\Invoke-InveighRelay.ps1'
+ - '\Invoke-PsExec.ps1'
+ - '\Invoke-SSHCommand.ps1'
+ - '\Get-SecurityPackages.ps1'
+ - '\Install-SSP.ps1'
+ - '\Invoke-BackdoorLNK.ps1'
+ - '\PowerBreach.ps1'
+ - '\Get-SiteListPassword.ps1'
+ - '\Get-System.ps1'
+ - '\Invoke-BypassUAC.ps1'
+ - '\Invoke-Tater.ps1'
+ - '\Invoke-WScriptBypassUAC.ps1'
+ - '\PowerUp.ps1'
+ - '\PowerView.ps1'
+ - '\Get-RickAstley.ps1'
+ - '\Find-Fruit.ps1'
+ - '\HTTP-Login.ps1'
+ - '\Find-TrustedDocuments.ps1'
+ - '\Invoke-Paranoia.ps1'
+ - '\Invoke-WinEnum.ps1'
+ - '\Invoke-ARPScan.ps1'
+ - '\Invoke-PortScan.ps1'
+ - '\Invoke-ReverseDNSLookup.ps1'
+ - '\Invoke-SMBScanner.ps1'
+ - '\Invoke-Mimikittenz.ps1'
condition: selection
falsepositives:
- Penetration Tests
diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
index 2a582eaa32f..66d153487e2 100755
--- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml
+++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
@@ -18,7 +18,9 @@ logsource:
detection:
selection:
# Sysmon: File Creation (ID 11)
- TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
+ TargetFilename|contains|all:
+ - '\AppData\Local\Temp\SAM-'
+ - '.dmp'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/file_event/sysmon_startup_folder_file_write.yml b/rules/windows/file_event/sysmon_startup_folder_file_write.yml
new file mode 100644
index 00000000000..d20ad26ed96
--- /dev/null
+++ b/rules/windows/file_event/sysmon_startup_folder_file_write.yml
@@ -0,0 +1,22 @@
+title: Startup Folder File Write
+id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.persistence
+ - attack.t1547.001
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/12
+ - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
+ condition: selection
+falsepositives:
+ - unknown
+level: low
\ No newline at end of file
diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
index 204bb61c0df..7ec9950cd79 100755
--- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
+++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -18,7 +18,8 @@ logsource:
category: file_event
detection:
selection_1:
- TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch'
+ TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
+ TargetFilename|endswith: '.sch'
selection_2:
Image:
- 'C:\windows\system32\svchost.exe'
diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml
new file mode 100644
index 00000000000..97fa03b0c1a
--- /dev/null
+++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml
@@ -0,0 +1,29 @@
+title: Suspcious CLR Logs Creation
+id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+description: Detects suspicious .NET assembly executions
+references:
+ - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+date: 2020/10/12
+tags:
+ - attack.execution
+ - attack.t1059.001
+status: experimental
+author: omkar72, oscd.community
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ TargetFilename|contains|all:
+ - '\AppData\Local\Microsoft\CLR'
+ - '\UsageLogs\'
+ TargetFilename|contains:
+ - 'mshta'
+ - 'cscript'
+ - 'wscript'
+ - 'regsvr32'
+ - 'wmic'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml
new file mode 100644
index 00000000000..e9e962736b1
--- /dev/null
+++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml
@@ -0,0 +1,22 @@
+title: Suspicious PFX File Creation
+id: dca1b3e8-e043-4ec8-85d7-867f334b5724
+description: A General detection for processes creating PFX files. This could be an inidicator of an adversary exporting a local certificate to a pfx file.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.credential_access
+ - attack.t1552.004
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/14
+ - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|endswith: '.pfx'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
index 2dac9fab723..a929366d22f 100755
--- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -15,13 +15,14 @@ logsource:
category: file_event
detection:
selection_1:
- TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys'
+ TargetFilename|contains: '\AppData\Local\Temp\'
+ TargetFilename|endswith: 'PROCEXP152.sys'
selection_2:
Image|contains:
- - '*\procexp64.exe'
- - '*\procexp.exe'
- - '*\procmon64.exe'
- - '*\procmon.exe'
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
condition: selection_1 and not selection_2
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
index 194b7558169..c171dcdfcb7 100755
--- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -9,8 +9,8 @@ logsource:
category: file_event
detection:
selection:
- Image: '*\mstsc.exe'
- TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+ Image|endswith: '\mstsc.exe'
+ TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
new file mode 100644
index 00000000000..5f99eafe3e6
--- /dev/null
+++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
@@ -0,0 +1,25 @@
+title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
+id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
+description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
+author: Florian Roth
+status: experimental
+level: critical
+references:
+ - https://github.com/hhlxf/PrintNightmare
+ - https://github.com/afwu/PrintNightmare
+date: 2021/06/29
+tags:
+ - attack.execution
+ - cve.2021-1675
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
+ condition: selection
+fields:
+ - ComputerName
+ - TargetFileName
+falsepositives:
+ - Unknown
diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml
new file mode 100644
index 00000000000..e2b9f0c1eaa
--- /dev/null
+++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml
@@ -0,0 +1,24 @@
+title: Outlook C2 Macro Creation
+id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
+status: experimental
+description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
+references:
+ - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+author: '@ScoubiMtl'
+tags:
+ - attack.persistence
+ - command_and_control
+ - attack.t1137
+ - attack.t1008
+ - attack.t1546
+date: 2021/04/05
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
+ condition: selection
+falsepositives:
+ - User genuinly creates a VB Macro for their email
+level: medium
diff --git a/rules/windows/file_event/win_rclone_exec_file.yml b/rules/windows/file_event/win_rclone_exec_file.yml
new file mode 100644
index 00000000000..fa47e3244b3
--- /dev/null
+++ b/rules/windows/file_event/win_rclone_exec_file.yml
@@ -0,0 +1,25 @@
+title: Rclone Config File Creation
+id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
+description: Detects Rclone config file being created
+status: experimental
+date: 2021/05/26
+modified: 2021/06/27
+author: Aaron Greetham (@beardofbinary) - NCC Group
+references:
+ - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+tags:
+ - attack.exfiltration
+ - attack.t1567.002
+falsepositives:
+ - Legitimate Rclone usage (rare)
+level: high
+logsource:
+ product: windows
+ category: file_event
+detection:
+ file_selection:
+ EventID: 11
+ TargetFilename|contains|all:
+ - ':\Users\'
+ - '\.config\rclone\'
+ condition: file_selection
\ No newline at end of file
diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml
new file mode 100644
index 00000000000..6304043ad8f
--- /dev/null
+++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml
@@ -0,0 +1,27 @@
+title: Suspicious Multiple File Rename Or Delete Occurred
+id: 97919310-06a7-482c-9639-92b67ed63cf8
+status: experimental
+description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
+tags:
+ - attack.impact
+ - attack.t1486
+author: Vasiliy Burov, oscd.community
+date: 2020/10/16
+references:
+ - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
+logsource:
+ product: windows
+ service: security
+ definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access'
+detection:
+ selection:
+ EventID: 4663
+ ObjectType: 'File'
+ AccessList: '%%1537'
+ Keywords: '0x8020000000000000'
+ timeframe: 30s
+ condition: selection | count() by SubjectLogonId > 10
+falsepositives:
+ - Software uninstallation
+ - Files restore activities
+level: medium
diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
new file mode 100644
index 00000000000..fa78485a034
--- /dev/null
+++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
@@ -0,0 +1,25 @@
+title: Alternate PowerShell Hosts
+id: fe6e002f-f244-4278-9263-20e4b593827f
+description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
+status: experimental
+date: 2019/09/12
+modified: 2021/05/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1059.001
+references:
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection:
+ Description: 'System.Management.Automation'
+ ImageLoaded|contains: 'System.Management.Automation'
+ filter:
+ Image|endswith: '\powershell.exe'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml
index 7c077934ca6..d4f1dcd252e 100755
--- a/rules/windows/image_load/sysmon_in_memory_powershell.yml
+++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml
@@ -2,9 +2,9 @@ title: In-memory PowerShell
id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
status: experimental
description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
-author: Tom Kern, oscd.community
+author: Tom Kern, oscd.community, Natalia Shornikova
date: 2019/11/14
-modified: 2019/11/30
+modified: 2020/10/12
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
@@ -27,6 +27,12 @@ detection:
- '\WINDOWS\System32\sdiagnhost.exe'
- '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance
- '\WINDOWS\System32\RemoteFXvGPUDisablement.exe' # on win10
+ - '\sqlps.exe'
+ - '\wsmprovhost.exe'
+ - '\winrshost.exe'
+ - '\syncappvpublishingserver.exe'
+ - '\runscripthelper.exe'
+ - '\ServerManager.exe'
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
condition: selection and not filter
falsepositives:
diff --git a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
index 50568b56039..d2158436465 100755
--- a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
+++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
@@ -18,9 +18,9 @@ detection:
selector:
Image: 'C:\Windows\System32\rundll32.exe'
dllload1:
- ImageLoaded: '*\vaultcli.dll'
+ ImageLoaded|endswith: '\vaultcli.dll'
dllload2:
- ImageLoaded: '*\wlanapi.dll'
+ ImageLoaded|endswith: '\wlanapi.dll'
exclusion:
ImageLoaded:
- 'ntdsapi.dll'
diff --git a/rules/windows/image_load/sysmon_pcre_net_load.yml b/rules/windows/image_load/sysmon_pcre_net_load.yml
new file mode 100644
index 00000000000..383a83b9d71
--- /dev/null
+++ b/rules/windows/image_load/sysmon_pcre_net_load.yml
@@ -0,0 +1,23 @@
+title: PCRE.NET Package Image Load
+id: 84b0a8f3-680b-4096-a45b-e9a89221727c
+description: Detects processes loading modules related to PCRE.NET package
+status: experimental
+date: 2020/10/29
+modified: 2021/05/21
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1059
+references:
+ - https://twitter.com/rbmaslen/status/1321859647091970051
+ - https://twitter.com/tifkin_/status/1321916444557365248
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ - ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
index b0d0303f988..111759c390b 100755
--- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
+++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
@@ -6,7 +6,7 @@ date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
tags:
- attack.execution
- attack.t1086 # an old one
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
- Description: 'system.management.automation'
- ImageLoaded|contains: 'system.management.automation'
+ Description: 'System.Management.Automation'
+ ImageLoaded|contains: 'System.Management.Automation'
condition: selection
fields:
- ComputerName
diff --git a/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000000..59f8621ed52
--- /dev/null
+++ b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
@@ -0,0 +1,30 @@
+title: WMI Script Host Process Image Loaded
+id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
+description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
+status: experimental
+date: 2020/09/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.lateral_movement
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.t1546.003
+references:
+ - https://twitter.com/HunterPlaybook/status/1301207718355759107
+ - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\scrcons.exe'
+ ImageLoaded|endswith:
+ - '\vbscript.dll'
+ - '\wbemdisp.dll'
+ - '\wshom.ocx'
+ - '\scrrun.dll'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml
index 5a2bc710f29..5bf5305590b 100755
--- a/rules/windows/image_load/sysmon_susp_image_load.yml
+++ b/rules/windows/image_load/sysmon_susp_image_load.yml
@@ -16,11 +16,11 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\notepad.exe'
- ImageLoaded:
- - '*\samlib.dll'
- - '*\WinSCard.dll'
+ Image|endswith:
+ - '\notepad.exe'
+ ImageLoaded|endswith:
+ - '\samlib.dll'
+ - '\WinSCard.dll'
condition: selection
falsepositives:
- Very likely, needs more tuning
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
index a8c6f2ec567..c9d881196e4 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - 'C:\Windows\assembly\\*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|startswith:
+ - 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
index 59b043baad9..f75cce09420 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\clr.dll*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|contains:
+ - '\clr.dll'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
index a9f82019467..fa018279690 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|startswith:
+ - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
index 9897408c63d..f6297faef88 100755
--- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\dsparse.dll*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|contains:
+ - '\dsparse.dll'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
index 2ac8622f517..b4203073441 100755
--- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\kerberos.dll'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith:
+ - '\kerberos.dll'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml
new file mode 100644
index 00000000000..ba7f3d7d4f3
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml
@@ -0,0 +1,25 @@
+title: Python Py2Exe Image Load
+id: cbb56d62-4060-40f7-9466-d8aaf3123f83
+description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
+status: experimental
+date: 2020/05/03
+modified: 2021/05/12
+author: Patrick St. John, OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1027.002
+references:
+ - https://www.py2exe.org/
+ - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection:
+ Description: 'Python Core'
+ condition: selection
+fields:
+ - Description
+falsepositives:
+ - Legit Py2Exe Binaries
+level: medium
\ No newline at end of file
diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
new file mode 100644
index 00000000000..701d372fa88
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
@@ -0,0 +1,31 @@
+title: CLR DLL Loaded Via Scripting Applications
+id: 4508a70e-97ef-4300-b62b-ff27992990ea
+status: experimental
+description: Detects CLR DLL being loaded by an scripting applications
+references:
+ - https://github.com/tyranid/DotNetToJScript
+ - https://thewover.github.io/Introducing-Donut/
+ - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+author: omkar72, oscd.community
+date: 2020/10/14
+tags:
+ - attack.execution
+ - attack.privilege_escalation
+ - attack.t1055
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\mshta.exe'
+ ImageLoaded|endswith:
+ - '\clr.dll'
+ - '\mscoree.dll'
+ - '\mscorlib.dll'
+ condition: selection
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
new file mode 100644
index 00000000000..771952fe714
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml
@@ -0,0 +1,24 @@
+title: Suspicious System.Drawing Load
+id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
+description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.collection
+ - attack.t1113
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/16
+ - https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection:
+ ImageLoaded|endswith: '\System.Drawing.ni.dll'
+ filter:
+ Image|endswith: '\WmiPrvSE.exe'
+ condition: selection and not filter
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
index fedeecf64ad..262d9c7dc4d 100755
--- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
@@ -16,15 +16,15 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\VBE7.DLL'
- - '*\VBEUI.DLL'
- - '*\VBE7INTL.DLL'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith:
+ - '\VBE7.DLL'
+ - '\VBEUI.DLL'
+ - '\VBE7INTL.DLL'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
index dee953accd3..bdbbc5b27d0 100755
--- a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
@@ -16,17 +16,17 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\wmiutils.dll'
- - '*\wbemcomn.dll'
- - '*\wbemprox.dll'
- - '*\wbemdisp.dll'
- - '*\wbemsvc.dll'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith:
+ - '\wmiutils.dll'
+ - '\wbemcomn.dll'
+ - '\wbemprox.dll'
+ - '\wbemdisp.dll'
+ - '\wbemsvc.dll'
condition: selection
falsepositives:
- Possible. Requires further testing.
diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
index 9d009c2973d..6247ee4f900 100755
--- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
+++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
@@ -21,15 +21,15 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\svchost.exe'
- ImageLoaded:
- - '*\tsmsisrv.dll'
- - '*\tsvipsrv.dll'
- - '*\wlbsctrl.dll'
+ Image|endswith:
+ - '\svchost.exe'
+ ImageLoaded|endswith:
+ - '\tsmsisrv.dll'
+ - '\tsvipsrv.dll'
+ - '\wlbsctrl.dll'
filter:
- ImageLoaded:
- - 'C:\Windows\WinSxS\\*'
+ ImageLoaded|startswith:
+ - 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Pentest
diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml
new file mode 100644
index 00000000000..64f945e89ba
--- /dev/null
+++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml
@@ -0,0 +1,38 @@
+action: global
+title: Time Travel Debugging Utility Usage
+id: e76c8240-d68f-4773-8880-5c6f63595aaf
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+ - https://twitter.com/mattifestation/status/1196390321783025666
+ - https://twitter.com/oulusoyum/status/1191329746069655553
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+date: 2020/10/06
+tags:
+ - attack.defense_evasion
+ - attack.credential_access
+ - attack.t1218
+ - attack.t1003.001
+detection:
+ condition: 1 of them
+falsepositives:
+ - Legitimate usage by software developers/testers
+level: high
+---
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection1:
+ ImageLoaded|endswith:
+ - '\ttdrecord.dll'
+ - '\ttdwriter.dll'
+ - '\ttdloader.dll'
+---
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection2:
+ ParentImage|endswith:
+ - '\tttracer.exe'
diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml
new file mode 100644
index 00000000000..46200f57b52
--- /dev/null
+++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml
@@ -0,0 +1,31 @@
+title: UAC Bypass With Fake DLL
+id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
+status: experimental
+description: Attempts to load dismcore.dll after dropping it
+references:
+ - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
+tags:
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+ - attack.t1574.002
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/06
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\dism.exe'
+ ImageLoaded|endswith:
+ - '\dismcore.dll'
+ filter:
+ ImageLoaded:
+ - 'C:\Windows\System32\Dism\dismcore.dll'
+ condition: selection
+falsepositives:
+ - Pentests
+ - Actions of a legitimate telnet client
+level: high
diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
new file mode 100644
index 00000000000..92db1c231a9
--- /dev/null
+++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
@@ -0,0 +1,29 @@
+title: UIPromptForCredentials DLLs
+id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
+description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
+status: experimental
+date: 2020/10/20
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.credential_access
+ - attack.collection
+ - attack.t1056.002
+references:
+ - https://mordordatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
+ - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ - ImageLoaded|endswith:
+ - '\credui.dll'
+ - '\wincredui.dll'
+ - OriginalFileName:
+ - 'credui.dll'
+ - 'wincredui.dll'
+ condition: selection
+falsepositives:
+ - other legitimate processes loading those DLLs in your environment.
+level: medium
\ No newline at end of file
diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml
index 6b46e7b0ff2..e9330938330 100755
--- a/rules/windows/image_load/sysmon_wmi_module_load.yml
+++ b/rules/windows/image_load/sysmon_wmi_module_load.yml
@@ -6,7 +6,7 @@ date: 2019/08/10
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
tags:
- attack.execution
- attack.t1047
diff --git a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
new file mode 100644
index 00000000000..91d711f5c4b
--- /dev/null
+++ b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
@@ -0,0 +1,26 @@
+title: WMIC Loading Scripting Libraries
+id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
+description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
+status: experimental
+date: 2020/10/17
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1220
+references:
+ - https://mordordatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
+ - https://twitter.com/dez_/status/986614411711442944
+ - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\wmic.exe'
+ ImageLoaded|endswith:
+ - '\jscript.dll'
+ - '\vbscript.dll'
+ condition: selection
+falsepositives:
+ - Apparently, wmic os get lastboottuptime loads vbscript.dll
+level: high
\ No newline at end of file
diff --git a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml
new file mode 100644
index 00000000000..953e556e866
--- /dev/null
+++ b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml
@@ -0,0 +1,38 @@
+title: Suspicious WSMAN Provider Image Loads
+id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
+description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
+status: experimental
+date: 2020/06/24
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.lateral_movement
+ - attack.t1021.003
+references:
+ - https://twitter.com/chadtilbury/status/1275851297770610688
+ - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+ - https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
+ - https://github.com/bohops/WSMan-WinRM
+logsource:
+ category: image_load
+ product: windows
+detection:
+ request_client:
+ - ImageLoaded|endswith:
+ - '\WsmSvc.dll'
+ - '\WsmAuto.dll'
+ - '\Microsoft.WSMan.Management.ni.dll'
+ - OriginalFileName:
+ - WsmSvc.dll
+ - WSMANAUTOMATION.DLL
+ - Microsoft.WSMan.Management.dll
+ filter_ps:
+ Image|endswith: '\powershell.exe'
+ respond_server:
+ Image|endswith: '\svchost.exe'
+ OriginalFileName: 'WsmWmiPl.dll'
+ condition: (request_client and not filter_ps) or respond_server
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml
index cbdec2bcf4f..94ec45d72f6 100644
--- a/rules/windows/malware/av_exploiting.yml
+++ b/rules/windows/malware/av_exploiting.yml
@@ -15,16 +15,20 @@ logsource:
product: antivirus
detection:
selection:
- Signature:
- - "*MeteTool*"
- - "*MPreter*"
- - "*Meterpreter*"
- - "*Metasploit*"
- - "*PowerSploit*"
- - "*CobaltSrike*"
- - "*Swrort*"
- - "*Rozena*"
- - "*Backdoor.Cobalt*"
+ Signature|contains:
+ - "MeteTool"
+ - "MPreter"
+ - "Meterpreter"
+ - "Metasploit"
+ - "PowerSploit"
+ - "CobaltSrike"
+ - "Swrort"
+ - "Rozena"
+ - "Backdoor.Cobalt"
+ - "CobaltStr"
+ - "COBEACON"
+ - "Cometer"
+ - "Razy"
condition: selection
fields:
- FileName
diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml
index 77cc9d4331f..dc75de349e7 100644
--- a/rules/windows/malware/av_password_dumper.yml
+++ b/rules/windows/malware/av_password_dumper.yml
@@ -17,17 +17,19 @@ logsource:
product: antivirus
detection:
selection:
- Signature:
- - "*DumpCreds*"
- - "*Mimikatz*"
- - "*PWCrack*"
+ Signature|contains:
+ - "DumpCreds"
+ - "Mimikatz"
+ - "PWCrack"
- "HTool/WCE"
- - "*PSWtool*"
- - "*PWDump*"
- - "*SecurityTool*"
- - "*PShlSpy*"
- - "*Rubeus*"
- - "*Kekeo*"
+ - "PSWtool"
+ - "PWDump"
+ - "SecurityTool"
+ - "PShlSpy"
+ - "Rubeus"
+ - "Kekeo"
+ - "LsassDump"
+ - "Outflank"
condition: selection
fields:
- FileName
diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml
index 747bd494a5c..c200959a237 100644
--- a/rules/windows/malware/av_relevant_files.yml
+++ b/rules/windows/malware/av_relevant_files.yml
@@ -2,41 +2,70 @@ title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
-modified: 2019/10/04
-author: Florian Roth
+modified: 2021/05/09
+author: Florian Roth, Arnim Rupp
references:
- - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+ - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
logsource:
product: antivirus
detection:
selection:
- FileName:
- - 'C:\Windows\Temp\\*'
- - 'C:\Temp\\*'
- - '*\\Client\\*'
- - 'C:\PerfLogs\\*'
- - 'C:\Users\Public\\*'
- - 'C:\Users\Default\\*'
- - '*.ps1'
- - '*.vbs'
- - '*.bat'
- - '*.chm'
- - '*.xml'
- - '*.txt'
- - '*.jsp'
- - '*.jspx'
- - '*.asp'
- - '*.aspx'
- - '*.php'
- - '*.war'
- - '*.hta'
- - '*.lnk'
- - '*.scf'
- - '*.sct'
- - '*.vbe'
- - '*.wsf'
- - '*.wsh'
- condition: selection
+ - FileName|startswith:
+ - 'C:\Windows\'
+ - 'C:\Temp\'
+ - 'C:\PerfLogs\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - FileName|contains:
+ - '\Client\'
+ - '\tsclient\'
+ - '\inetpub\'
+ - '/www/'
+ - 'apache'
+ - 'tomcat'
+ - 'nginx'
+ - 'weblogic'
+ selection2:
+ Filename|endswith:
+ - '.ps1'
+ - '.psm1'
+ - '.vbs'
+ - '.bat'
+ - '.cmd'
+ - '.sh'
+ - '.chm'
+ - '.xml'
+ - '.txt'
+ - '.jsp'
+ - '.jspx'
+ - '.asp'
+ - '.aspx'
+ - '.ashx'
+ - '.asax'
+ - '.asmx'
+ - '.php'
+ - '.cfm'
+ - '.py'
+ - '.pyc'
+ - '.pl'
+ - '.rb'
+ - '.cgi'
+ - '.war'
+ - '.ear'
+ - '.hta'
+ - '.lnk'
+ - '.scf'
+ - '.sct'
+ - '.vbe'
+ - '.wsf'
+ - '.wsh'
+ - '.gif'
+ - '.png'
+ - '.jpg'
+ - '.jpeg'
+ - '.svg'
+ - '.dat'
+ condition: selection or selection2
fields:
- Signature
- User
diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml
index 3290dba48e8..3d9cc3105bb 100644
--- a/rules/windows/malware/av_webshell.yml
+++ b/rules/windows/malware/av_webshell.yml
@@ -1,14 +1,19 @@
title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
-description: Detects a highly relevant Antivirus alert that reports a web shell
+description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
date: 2018/09/09
-modified: 2001/01/07
+modified: 2021/05/08
author: Florian Roth, Arnim Rupp
references:
- - https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/
+ - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+ - https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
+ - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
+ - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
+ - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
+ - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
tags:
- attack.persistence
- attack.t1100
@@ -17,26 +22,49 @@ logsource:
product: antivirus
detection:
selection:
- Signature:
- - "PHP/Backdoor*"
- - "JSP/Backdoor*"
- - "ASP/Backdoor*"
- - "Backdoor?PHP*"
- - "Backdoor?JSP*"
- - "Backdoor?ASP*"
- - "Backdoor?Java*"
- - "*Webshell*"
- - "*Chopper*"
- - "*ASPXSpy*"
- - "*Aspdoor*"
- - "*PHP:*"
- - "*PHPShell*"
- - "*Trojan.PHP*"
- - "*Trojan.ASP*"
- - "*Trojan.JSP*"
- - "*PHP?Agent*"
- - "*ASP?Agent*"
- - "*JSP?Agent*"
+ - Signature|startswith:
+ - "PHP/"
+ - "JSP/"
+ - "ASP/"
+ - "Perl/"
+ - "PHP."
+ - "JSP."
+ - "ASP."
+ - "Perl."
+ - "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops
+ - "IIS/BackDoor"
+ - "JAVA/Backdoor"
+ - "Troj/ASP"
+ - "Troj/PHP"
+ - "Troj/JSP"
+ - Signature|contains:
+ - "Webshell"
+ - "Chopper"
+ - "SinoChoper"
+ - "ASPXSpy"
+ - "Aspdoor"
+ - "filebrowser"
+ - "PHP_"
+ - "JSP_"
+ - "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops
+ - "PHP:"
+ - "JSP:"
+ - "ASP:"
+ - "Perl:"
+ - "PHPShell"
+ - "Trojan.PHP"
+ - "Trojan.ASP"
+ - "Trojan.JSP"
+ - "Trojan.VBS"
+ - "PHP?Agent"
+ - "ASP?Agent"
+ - "JSP?Agent"
+ - "VBS?Agent"
+ - "Backdoor?PHP"
+ - "Backdoor?JSP"
+ - "Backdoor?ASP"
+ - "Backdoor?VBS"
+ - "Backdoor?Java"
condition: selection
fields:
- FileName
diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml
index 42fe48baeb2..987e7a7fea6 100644
--- a/rules/windows/malware/mal_azorult_reg.yml
+++ b/rules/windows/malware/mal_azorult_reg.yml
@@ -11,14 +11,14 @@ tags:
- attack.t1112
logsource:
product: windows
- service: sysmon
+ category: registry_event
detection:
selection:
EventID:
- 12
- 13
- TargetObject:
- - '*SYSTEM\\*\services\localNETService'
+ TargetObject|contains: 'SYSTEM\'
+ TargetObject|endswith: '\services\localNETService'
condition: selection
fields:
- Image
diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml
index c40f28d76f1..0752d9584c0 100644
--- a/rules/windows/malware/win_mal_blue_mockingbird.yml
+++ b/rules/windows/malware/win_mal_blue_mockingbird.yml
@@ -37,9 +37,8 @@ detection:
---
logsource:
product: windows
- service: sysmon
+ category: registry_event
detection:
mod_reg:
- EventID: 13
TargetObject|endswith:
- '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml
new file mode 100644
index 00000000000..26d609be490
--- /dev/null
+++ b/rules/windows/malware/win_mal_darkside.yml
@@ -0,0 +1,28 @@
+title: DarkSide Ransomware Pattern
+id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
+author: Florian Roth
+date: 2021/05/14
+description: Detects DarkSide Ransomware and helpers
+status: experimental
+references:
+ - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+ - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
+ - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains:
+ - "=[char][byte]('0x'+"
+ - ' -work worker0 -path '
+ selection2:
+ ParentCommandLine|contains:
+ - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+ Image|contains:
+ - '\AppData\Local\Temp\'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+ - UAC bypass method used by other malware
+level: critical
diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml
index 37e315f9002..95a72af54b6 100644
--- a/rules/windows/malware/win_mal_flowcloud.yml
+++ b/rules/windows/malware/win_mal_flowcloud.yml
@@ -11,18 +11,20 @@ tags:
date: 2020/06/09
logsource:
product: windows
- service: sysmon
+ category: registry_event
detection:
selection:
EventID:
- 12 # key create
- 13 # value set
- TargetObject:
+ selection2:
+ - TargetObject:
- 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- - 'HKLM\SYSTEM\Setup\PrintResponsor\\*'
- condition: selection
+ - TargetObject|startswith:
+ - 'HKLM\SYSTEM\Setup\PrintResponsor\'
+ condition: selection and selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/malware/win_mal_lockergoga.yml b/rules/windows/malware/win_mal_lockergoga.yml
new file mode 100644
index 00000000000..c22d83ab725
--- /dev/null
+++ b/rules/windows/malware/win_mal_lockergoga.yml
@@ -0,0 +1,23 @@
+title: LockerGoga Ransomware
+id: 74db3488-fd28-480a-95aa-b7af626de068
+author: Vasiliy Burov, oscd.community
+date: 2020/10/18
+description: Detects LockerGoga Ransomware command line.
+status: experimental
+references:
+ - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
+ - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
+ - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
+tags:
+ - attack.impact
+ - attack.t1486
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains: '-i SM-tgytutrc -s'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: critical
diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml
index 0c710eae5be..a76955bea39 100644
--- a/rules/windows/malware/win_mal_octopus_scanner.yml
+++ b/rules/windows/malware/win_mal_octopus_scanner.yml
@@ -11,15 +11,13 @@ author: NVISO
date: 2020/06/09
logsource:
product: windows
- service: sysmon
+ category: file_event
detection:
- filecreate:
- EventID: 11
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
- condition: filecreate and selection
+ condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml
index aa5977d2381..02603871b71 100644
--- a/rules/windows/malware/win_mal_ryuk.yml
+++ b/rules/windows/malware/win_mal_ryuk.yml
@@ -11,10 +11,15 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\net.exe stop "samss" *'
- - '*\net.exe stop "audioendpointbuilder" *'
- - '*\net.exe stop "unistoresvc_?????" *'
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains|all:
+ - 'stop'
+ CommandLine|contains:
+ - 'samss'
+ - 'audioendpointbuilder'
+ - 'unistoresvc_?????'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml
index 902d85ae346..ca934073f7d 100644
--- a/rules/windows/malware/win_mal_ursnif.yml
+++ b/rules/windows/malware/win_mal_ursnif.yml
@@ -12,11 +12,10 @@ author: megan201296
date: 2019/02/13
logsource:
product: windows
- service: sysmon
+ category: registry_event
detection:
selection:
- EventID: 13
- TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
+ TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
new file mode 100644
index 00000000000..ab68f0b043f
--- /dev/null
+++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
@@ -0,0 +1,26 @@
+title: Silenttrinity Stager Msbuild Activity
+id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
+description: Detects a possible remote connections to Silenttrinity c2
+references:
+ - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+tags:
+ - attack.execution
+ - attack.t1127.001
+status: experimental
+author: Kiran kumar s, oscd.community
+date: 2020/10/11
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\msbuild.exe'
+ filter:
+ DestinationPort:
+ - '80'
+ - '443'
+ Initiated: 'true'
+ condition: selection and filter
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
index 48a2a8c468d..e971761544e 100644
--- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
+++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
@@ -18,29 +18,29 @@ logsource:
product: windows
detection:
selection:
- Image: '*\dllhost.exe'
+ Image|endswith: '\dllhost.exe'
Initiated: 'true'
filter:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
- - '127.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
condition: selection and not filter
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
index a8dd264d630..6ab3c851a44 100755
--- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
+++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
@@ -70,28 +70,28 @@ detection:
- '4040'
- '9943'
filter1:
- Image: '*\Program Files*'
+ Image|contains: '\Program Files'
filter2:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
- - '127.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
DestinationIsIpv6: 'false'
condition: selection and not ( filter1 or filter2 )
falsepositives:
diff --git a/rules/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
index 857d1e7e59f..0ab14bd517e 100755
--- a/rules/windows/network_connection/sysmon_notepad_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
@@ -18,7 +18,7 @@ date: 2020/05/14
modified: 2020/08/24
detection:
selection:
- Image: '*\notepad.exe'
+ Image|endswith: '\notepad.exe'
filter:
DestinationPort: '9100'
condition: selection and not filter
diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
index 23d39f5bd37..4a110b53e16 100755
--- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
@@ -16,28 +16,28 @@ logsource:
product: windows
detection:
selection:
- Image: '*\powershell.exe'
+ Image|endswith: '\powershell.exe'
Initiated: 'true'
filter:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
- '127.0.0.1'
DestinationIsIpv6: 'false'
User: 'NT AUTHORITY\SYSTEM'
diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
index 77bde60a2de..b425254486c 100755
--- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
+++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
@@ -6,7 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1096148422984384514
author: Samir Bousseaden
date: 2019/02/16
-modified: 2020/08/24
+modified: 2021/05/11
tags:
- attack.command_and_control
- attack.t1572
@@ -19,13 +19,15 @@ logsource:
product: windows
detection:
selection:
- Image: '*\svchost.exe'
+ Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
- DestinationIp:
- - '127.*'
+ selection2:
+ - DestinationIp|startswith:
+ - '127.'
+ - DestinationIp:
- '::1'
- condition: selection
+ condition: selection and selection2
falsepositives:
- unknown
level: high
diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
index de8934dcbf1..f25bc0b4210 100755
--- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
+++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
@@ -6,7 +6,7 @@ date: 2019/09/12
modified: 2020/08/24
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
index 3766fc09135..75920a6531a 100755
--- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
@@ -17,29 +17,29 @@ logsource:
product: windows
detection:
selection:
- Image: '*\rundll32.exe'
+ Image|endswith: '\rundll32.exe'
Initiated: 'true'
filter:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
- - '127.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
condition: selection and not filter
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
index 9b152411f15..b8c4544dcf3 100755
--- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
@@ -12,19 +12,21 @@ logsource:
definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
detection:
selection:
- Image:
- # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
- - '*\$Recycle.bin'
- - '*\Users\All Users\\*'
- - '*\Users\Default\\*'
- - '*\Users\Public\\*'
- - '*\Users\Contacts\\*'
- - '*\Users\Searches\\*'
- - 'C:\Perflogs\\*'
- - '*\config\systemprofile\\*'
- - '*\Windows\Fonts\\*'
- - '*\Windows\IME\\*'
- - '*\Windows\addins\\*'
+ - Image|contains:
+ # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows
+ - '\Users\All Users\'
+ - '\Users\Default\'
+ - '\Users\Public\'
+ - '\Users\Contacts\'
+ - '\Users\Searches\'
+ - '\config\systemprofile\'
+ - '\Windows\Fonts\'
+ - '\Windows\IME\'
+ - '\Windows\addins\'
+ - Image|endswith:
+ - '\$Recycle.bin'
+ - Image|startswith:
+ - 'C:\Perflogs\'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml
index 8955b940fa8..e12fde6268a 100755
--- a/rules/windows/network_connection/sysmon_susp_rdp.yml
+++ b/rules/windows/network_connection/sysmon_susp_rdp.yml
@@ -20,26 +20,26 @@ detection:
DestinationPort: 3389
Initiated: 'true'
filter:
- Image:
- - '*\mstsc.exe'
- - '*\RTSApp.exe'
- - '*\RTS2App.exe'
- - '*\RDCMan.exe'
- - '*\ws_TunnelService.exe'
- - '*\RSSensor.exe'
- - '*\RemoteDesktopManagerFree.exe'
- - '*\RemoteDesktopManager.exe'
- - '*\RemoteDesktopManager64.exe'
- - '*\mRemoteNG.exe'
- - '*\mRemote.exe'
- - '*\Terminals.exe'
- - '*\spiceworks-finder.exe'
- - '*\FSDiscovery.exe'
- - '*\FSAssessment.exe'
- - '*\MobaRTE.exe'
- - '*\chrome.exe'
- - '*\thor.exe'
- - '*\thor64.exe'
+ Image|endswith:
+ - '\mstsc.exe'
+ - '\RTSApp.exe'
+ - '\RTS2App.exe'
+ - '\RDCMan.exe'
+ - '\ws_TunnelService.exe'
+ - '\RSSensor.exe'
+ - '\RemoteDesktopManagerFree.exe'
+ - '\RemoteDesktopManager.exe'
+ - '\RemoteDesktopManager64.exe'
+ - '\mRemoteNG.exe'
+ - '\mRemote.exe'
+ - '\Terminals.exe'
+ - '\spiceworks-finder.exe'
+ - '\FSDiscovery.exe'
+ - '\FSAssessment.exe'
+ - '\MobaRTE.exe'
+ - '\chrome.exe'
+ - '\thor.exe'
+ - '\thor64.exe'
condition: selection and not filter
falsepositives:
- Other Remote Desktop RDP tools
diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
index 1d197ab93e7..a63c8b1e021 100755
--- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
@@ -21,10 +21,10 @@ logsource:
detection:
selection:
Initiated: 'true'
- DestinationHostname:
- - '*.github.com'
- - '*.githubusercontent.com'
- Image: 'C:\Windows\\*'
+ DestinationHostname|endswith:
+ - '.github.com'
+ - '.githubusercontent.com'
+ Image|startswith: 'C:\Windows\'
condition: selection
falsepositives:
- 'Unknown'
diff --git a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
index 6e324b9cbfb..4422fc1e533 100755
--- a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
@@ -16,11 +16,11 @@ logsource:
detection:
selection:
Initiated: 'true'
- DestinationHostname:
- - '*dl.dropboxusercontent.com'
- - '*.pastebin.com'
- - '*.githubusercontent.com' # includes both gists and github repositories
- Image: 'C:\Windows\\*'
+ DestinationHostname|endswith:
+ - 'dl.dropboxusercontent.com'
+ - '.pastebin.com'
+ - '.githubusercontent.com' # includes both gists and github repositories
+ Image|startswith: 'C:\Windows\'
condition: selection
falsepositives:
- 'Unknown'
diff --git a/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml
new file mode 100644
index 00000000000..5407c0a6d4c
--- /dev/null
+++ b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml
@@ -0,0 +1,21 @@
+title: Wuauclt Network Connection
+id: c649a6c7-cd8c-4a78-9c04-000fc76df954
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
+status: experimental
+date: 2020/10/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+references:
+ - https://dtm.uk/wuauclt/
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Image|contains: wuauclt
+ condition: selection
+falsepositives:
+ - Legitimate use of wuauclt.exe over the network.
+level: medium
diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml
index e96a28233d2..6b0a4d4e331 100644
--- a/rules/windows/other/win_defender_disabled.yml
+++ b/rules/windows/other/win_defender_disabled.yml
@@ -1,15 +1,22 @@
+action: global
title: Windows Defender Threat Detection Disabled
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
description: Detects disabling Windows Defender threat protection
date: 2020/07/28
-author: Ján Trenčanský
+modified: 2021/06/07
+author: Ján Trenčanský, frack113
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: stable
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
+falsepositives:
+ - Administrator actions
+level: high
+---
logsource:
product: windows
service: windefend
@@ -27,6 +34,13 @@ detection:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Details: 'DWORD (0x00000001)'
condition: 1 of them
-falsepositives:
- - Administrator actions
-level: high
+---
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ tamper_registry:
+ EventType: 'SetValue'
+ TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
+ Details: 'DWORD (0x00000001)'
+ condition: tamper_registry
diff --git a/rules/windows/other/win_defender_history_delete.yml b/rules/windows/other/win_defender_history_delete.yml
index cbdaac309ac..21f32aceff1 100644
--- a/rules/windows/other/win_defender_history_delete.yml
+++ b/rules/windows/other/win_defender_history_delete.yml
@@ -6,12 +6,13 @@ author: Cian Heasley
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
date: 2020/08/13
+modified: 2021/05/30
tags:
- attack.defense_evasion
- attack.t1070.001
logsource:
- category: windows
- product: windef
+ product: windows
+ service: windefend
detection:
selection:
EventID: 1013
diff --git a/rules/windows/other/win_exchange_TransportAgent_failed.yml b/rules/windows/other/win_exchange_TransportAgent_failed.yml
new file mode 100644
index 00000000000..9cad0aeae3c
--- /dev/null
+++ b/rules/windows/other/win_exchange_TransportAgent_failed.yml
@@ -0,0 +1,24 @@
+title: Failed MSExchange Transport Agent Installation
+id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
+status: experimental
+description: Detects a failed installation of a Exchange Transport Agent
+references:
+ - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+tags:
+ - attack.persistence
+ - attack.t1505.002
+author: Tobias Michalski
+date: 2021/06/08
+logsource:
+ service: msexchange-management
+ product: windows
+detection:
+ selection:
+ Message|contains: 'Install-TransportAgent'
+ EventID: 6
+ condition: selection
+fields:
+ - AssemblyPath
+falsepositives:
+ - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
+level: high
diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml
new file mode 100644
index 00000000000..7371330559d
--- /dev/null
+++ b/rules/windows/other/win_lateral_movement_condrv.yml
@@ -0,0 +1,28 @@
+title: Lateral Movement Indicator ConDrv
+id: 29d31aee-30f4-4006-85a9-a4a02d65306c
+status: stable
+description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
+author: Janantha Marasinghe
+date: 2021/04/27
+references:
+ - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
+ - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
+tags:
+ - attack.lateral_movement
+ - attack.execution
+ - attack.t1021
+ - attack.t1059
+logsource:
+ product: windows
+ service: security
+ definition:
+detection:
+ selection:
+ EventID: 4674
+ ObjectServer: 'Security'
+ ObjectType: 'File'
+ ObjectName: '\Device\ConDrv'
+ condition: selection
+falsepositives:
+ - Penetration tests where lateral movement has occured. This event will be created on the target host.
+level: high
diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml
new file mode 100644
index 00000000000..ee8ff3db571
--- /dev/null
+++ b/rules/windows/other/win_ldap_recon.yml
@@ -0,0 +1,76 @@
+title: LDAP Reconnaissance / Active Directory Enumeration
+id: 31d68132-4038-47c7-8f8e-635a39a7c174
+status: experimental
+description: Detects possible Active Directory enumeration via LDAP
+author: Adeem Mawani
+date: 2021/06/22
+references:
+ - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
+ - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+ - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs
+logsource:
+ category: ldap_query
+ product: windows
+ definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging'
+detection:
+ generic_search:
+ EventID: 30
+ SearchFilter|contains:
+ - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
+ - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
+ - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
+ - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
+ - '(sAMAccountType=805306369)'
+ - '(sAMAccountType=805306368)'
+ - '(sAMAccountType=536870913)'
+ - '(sAMAccountType=536870912)'
+ - '(sAMAccountType=268435457)'
+ - '(sAMAccountType=268435456)'
+ - '(objectCategory=groupPolicyContainer)'
+ - '(objectCategory=organizationalUnit)'
+ - '(objectCategory=Computer)'
+ - '(objectCategory=nTDSDSA)'
+ - '(objectCategory=server)'
+ - '(objectCategory=domain)'
+ - '(objectCategory=person)'
+ - '(objectCategory=group)'
+ - '(objectCategory=user)'
+ - '(objectClass=trustedDomain)'
+ - '(objectClass=computer)'
+ - '(objectClass=server)'
+ - '(objectClass=group)'
+ - '(objectClass=user)'
+ - '(primaryGroupID=521)'
+ - '(primaryGroupID=516)'
+ - '(primaryGroupID=515)'
+ - '(primaryGroupID=512)'
+ - 'Domain Admins'
+ suspicious_flag:
+ EventID: 30
+ SearchFilter|contains:
+ - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
+ - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
+ - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
+ - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
+ - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
+ - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
+ - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
+ - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
+ - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
+ - 'msDS-AllowedToDelegateTo'
+ - '(accountExpires=9223372036854775807)'
+ - '(accountExpires=0)'
+ - '(adminCount=1)'
+ - 'ms-MCS-AdmPwd'
+ narrow_down_filter:
+ EventID: 30
+ SearchFilter|contains:
+ - '(domainSid=*)'
+ - '(objectSid=*)'
+ condition: (generic_search and not narrow_down_filter) or (suspicious_flag)
+level: medium
+tags:
+ - attack.discovery
+ - attack.t1069.002
+ - attack.t1087.002
+ - attack.t1482
diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml
index 9a34a157568..eac2c43d174 100644
--- a/rules/windows/other/win_pcap_drivers.yml
+++ b/rules/windows/other/win_pcap_drivers.yml
@@ -16,16 +16,16 @@ logsource:
detection:
selection:
EventID: 4697
- ServiceFileName:
- - '*pcap*'
- - '*npcap*'
- - '*npf*'
- - '*nm3*'
- - '*ndiscap*'
- - '*nmnt*'
- - '*windivert*'
- - '*USBPcap*'
- - '*pktmon*'
+ ServiceFileName|contains:
+ - 'pcap'
+ - 'npcap'
+ - 'npf'
+ - 'nm3'
+ - 'ndiscap'
+ - 'nmnt'
+ - 'windivert'
+ - 'USBPcap'
+ - 'pktmon'
condition: selection
fields:
- EventID
diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml
new file mode 100644
index 00000000000..df511823497
--- /dev/null
+++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml
@@ -0,0 +1,28 @@
+title: Zerologon Exploitation Using Well-known Tools
+id: 18f37338-b9bd-4117-a039-280c81f7a596
+status: stable
+description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
+references:
+ - https://www.secura.com/blog/zero-logon
+ - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
+author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
+date: 2020/10/13
+modified: 2021/05/30
+tags:
+ - attack.t1210
+ - attack.lateral_movement
+logsource:
+ service: system
+ product: windows
+detection:
+ selection:
+ - EventID: '5805'
+ Message|contains:
+ - kali
+ - mimikatz
+ - EventID: '5723'
+ Message|contains:
+ - kali
+ - mimikatz
+ condition: selection
+level: critical
diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml
index 21176612972..3dee48d0318 100644
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@@ -5,7 +5,7 @@ status: experimental
description: Detects PsExec service installation and execution events (service and Sysmon)
author: Thomas Patzke
date: 2017/06/12
-modified: 2020/08/23
+modified: 2021/05/16
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
@@ -22,6 +22,8 @@ fields:
- ParentCommandLine
- ServiceName
- ServiceFileName
+ - TargetFileName
+ - PipeName
falsepositives:
- unknown
level: low
@@ -33,7 +35,7 @@ detection:
service_installation:
EventID: 7045
ServiceName: 'PSEXESVC'
- ServiceFileName: '*\PSEXESVC.exe'
+ ServiceFileName|endswith: '\PSEXESVC.exe'
service_execution:
EventID: 7036
ServiceName: 'PSEXESVC'
@@ -43,5 +45,19 @@ logsource:
product: windows
detection:
sysmon_processcreation:
- Image: '*\PSEXESVC.exe'
+ Image|endswith: '\PSEXESVC.exe'
User: 'NT AUTHORITY\SYSTEM'
+---
+logsource:
+ category: pipe_created
+ product: windows
+detection:
+ sysmon_pipecreated:
+ PipeName: '\PSEXESVC'
+---
+logsource:
+ category: file_event
+ product: windows
+detection:
+ sysmon_filecreation:
+ TargetFileName|endswith: '\PSEXESVC.exe'
diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index dbb17a226f7..bf8e8a0f736 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -1,10 +1,11 @@
+action: global
title: WMI Persistence
id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
-author: Florian Roth
+description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017/08/22
-modified: 2020/08/23
+modified: 2020/10/13
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
@@ -13,21 +14,32 @@ tags:
- attack.privilege_escalation
- attack.t1084 # an old one
- attack.t1546.003
+falsepositives:
+ - Unknown (data set is too small; further testing needed)
+level: medium
+---
logsource:
product: windows
- service: wmi
+ service: wmi #native windows detection
+ definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher'
detection:
- selection:
+ wmi_filter_to_consumer_binding:
EventID: 5861
- keywords:
- Message:
- - '*ActiveScriptEventConsumer*'
- - '*CommandLineEventConsumer*'
- - '*CommandLineTemplate*'
+ Message|contains:
+ - 'ActiveScriptEventConsumer'
+ - 'CommandLineEventConsumer'
+ - 'CommandLineTemplate'
# - 'Binding EventFilter' # too many false positive with HP Health Driver
- selection2:
+ wmi_filter_registration:
EventID: 5859
- condition: selection and 1 of keywords or selection2
-falsepositives:
- - Unknown (data set is too small; further testing needed)
-level: medium
+ condition: (wmi_filter_to_consumer_binding) OR (wmi_filter_registration)
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ wmi_subscription:
+ EventID: 4662
+ ObjectType: 'WMI Namespace'
+ ObjectName|contains: 'subscription'
+ condition: wmi_subscription
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
similarity index 80%
rename from rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
rename to rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
index 4e064bc8ede..742aaae9539 100644
--- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
+++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
@@ -6,17 +6,16 @@ date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
tags:
- attack.execution
- attack.t1086 # an old one
- attack.t1059.001
logsource:
product: windows
- service: sysmon
+ category: pipe_created
detection:
selection:
- EventID: 17
PipeName|startswith: '\PSHost'
filter:
Image|endswith:
diff --git a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml
similarity index 93%
rename from rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml
rename to rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml
index 8ea9e3d5b01..313d3435aec 100755
--- a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml
+++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml
@@ -10,13 +10,10 @@ tags:
author: Markus Neis
logsource:
product: windows
- service: sysmon
+ category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
- EventID:
- - 17
- - 18
PipeName:
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
- '\userpipe' # ruag apt case
diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml
similarity index 95%
rename from rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
rename to rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml
index 393aa87b3a1..ad56fd69ada 100644
--- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
+++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml
@@ -15,10 +15,9 @@ tags:
- attack.t1003.005
logsource:
product: windows
- service: sysmon
+ category: pipe_created
detection:
selection:
- EventID: 17
PipeName|contains:
- '\lsadump'
- '\cachedump'
diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
new file mode 100644
index 00000000000..3075d846d7a
--- /dev/null
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
@@ -0,0 +1,36 @@
+title: CobaltStrike Named Pipe
+id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
+status: experimental
+description: Detects the creation of a named pipe as used by CobaltStrike
+references:
+ - https://twitter.com/d4rksystem/status/1357010969264873472
+ - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
+ - https://github.com/Neo23x0/sigma/issues/253
+ - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
+date: 2021/05/25
+author: Florian Roth, Wojciech Lesicki
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1055
+logsource:
+ product: windows
+ category: pipe_created
+ definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+detection:
+ selection_MSSE:
+ PipeName|contains|all:
+ - '\MSSE-'
+ - '-server'
+ selection_postex:
+ PipeName|startswith: '\postex_'
+ selection_postex_ssh:
+ PipeName|startswith: '\postex_ssh_'
+ selection_status:
+ PipeName|startswith: '\status_'
+ selection_msagent:
+ PipeName|startswith: '\msagent_'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml
similarity index 74%
rename from rules/windows/sysmon/sysmon_mal_namedpipes.yml
rename to rules/windows/pipe_created/sysmon_mal_namedpipes.yml
index 195aee32c25..e425bf51bad 100644
--- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml
+++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml
@@ -5,16 +5,13 @@ description: Detects the creation of a named pipe used by known APT malware
references:
- Various sources
date: 2017/11/06
-author: Florian Roth
+author: Florian Roth, blueteam0ps
logsource:
product: windows
- service: sysmon
- definition: 'Note that you have to configure logging for PipeEvents in Symson config'
+ category: pipe_created
+ definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
detection:
selection:
- EventID:
- - 17
- - 18
PipeName:
- '\isapi_http' # Uroburos Malware Named Pipe
- '\isapi_dg' # Uroburos Malware Named Pipe
@@ -29,9 +26,14 @@ detection:
- '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
- - '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
- '\gruntsvc' # Covenant default named pipe
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
+ - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
+ - '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
+ - '\svcctl' #Crackmapexec smbexec default named pipe
+ - '\Posh*' #PoshC2 default
+ - '\jaccdpqnvbrrxlaf' #PoshC2 default
+ - '\csexecsvc' #CSEXEC default
condition: selection
tags:
- attack.defense_evasion
diff --git a/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml
new file mode 100644
index 00000000000..0546b2cdc25
--- /dev/null
+++ b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml
@@ -0,0 +1,21 @@
+title: T1086 PowerShell Execution
+id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
+description: Detects execution of PowerShell
+status: experimental
+date: 2019/09/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1059.001
+references:
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+logsource:
+ product: windows
+ category: pipe_created
+detection:
+ selection:
+ PipeName|startswith: '\PSHost'
+ condition: selection
+falsepositives:
+ - Unknown
+level: informational
diff --git a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml
new file mode 100644
index 00000000000..258a0a1d916
--- /dev/null
+++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml
@@ -0,0 +1,26 @@
+title: PsExec Pipes Artifacts
+id: 9e77ed63-2ecf-4c7b-b09d-640834882028
+status: experimental
+description: Detecting use PsExec via Pipe Creation/Access to pipes
+author: Nikita Nazarov, oscd.community
+date: 2020/05/10
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+logsource:
+ product: windows
+ category: pipe_created
+ definition: 'Note that you have to configure logging for PipeEvents in Symson config'
+detection:
+ selection:
+ PipeName|startswith:
+ - 'psexec'
+ - 'paexec'
+ - 'remcom'
+ - 'csexec'
+ condition: selection
+falsepositives:
+ - Legitimate Administrator activity
+level: medium
diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
new file mode 100644
index 00000000000..4189204e137
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
@@ -0,0 +1,26 @@
+title: Execution via CL_Invocation.ps1
+id: 4cd29327-685a-460e-9dac-c3ab96e549dc
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+ - https://twitter.com/bohops/status/948061991012327424
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'CL_Invocation.ps1'
+ - 'SyncInvoke'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml
new file mode 100644
index 00000000000..c8b63179ed7
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml
@@ -0,0 +1,28 @@
+title: Execution via CL_Invocation.ps1 (2 Lines)
+id: f588e69b-0750-46bb-8f87-0e9320d57536
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+ - https://twitter.com/bohops/status/948061991012327424
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection2:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'CL_Invocation.ps1'
+ - 'SyncInvoke'
+ condition: selection2 | count(ScriptBlockText) by Computer > 2
+ # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+ # PS > SyncInvoke c:\Evil.exe
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml
new file mode 100644
index 00000000000..341b51f7964
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml
@@ -0,0 +1,26 @@
+title: Execution via CL_Mutexverifiers.ps1
+id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+ - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'CL_Mutexverifiers.ps1'
+ - 'runAfterCancelProcess'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
new file mode 100644
index 00000000000..c4b47e1b829
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
@@ -0,0 +1,28 @@
+title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
+id: 6609c444-9670-4eab-9636-fe4755a851ce
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+ - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection2:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'CL_Mutexverifiers.ps1'
+ - 'runAfterCancelProcess'
+ condition: selection2 | count(ScriptBlockText) by Computer > 2
+ # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+ # PS > runAfterCancelProcess c:\Evil.exe
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml
new file mode 100644
index 00000000000..862bbd69bd2
--- /dev/null
+++ b/rules/windows/powershell/powershell_accessing_win_api.yml
@@ -0,0 +1,71 @@
+title: Accessing WinAPI in PowerShell
+id: 03d83090-8cba-44a0-b02f-0b756a050306
+status: experimental
+description: Detecting use WinAPI Functions in PowerShell
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.t1106
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID:
+ - 4104
+ Message|contains:
+ - 'WaitForSingleObject'
+ - 'QueueUserApc'
+ - 'RtlCreateUserThread'
+ - 'OpenProcess'
+ - 'VirtualAlloc'
+ - 'VirtualFree'
+ - 'WriteProcessMemory'
+ - 'CreateUserThread'
+ - 'CloseHanlde'
+ - 'GetDelegateForFunctionPointer'
+ - 'CreateThread'
+ - 'memcpy'
+ - 'LoadLibrary'
+ - 'GetModuleHandle'
+ - 'GetProcAdress'
+ - 'VirtualProtect'
+ - 'FreeLibrary'
+ - 'ReadProcessMemory'
+ - 'CreateRemoteThread'
+ - 'AdjustTokenPrivileges'
+ - 'WriteByte'
+ - 'WriteInt32'
+ - 'OpenThreadToken'
+ - 'PtrToString'
+ - 'FreeHGlobal'
+ - 'ZeroFreeGlobalAllocUnicode'
+ - 'OpenProcessToken'
+ - 'GetTokenInformation'
+ - 'SetThreadToken'
+ - 'ImpersonateLoggedOnUser'
+ - 'RevertToSelf'
+ - 'GetLogonSessionData'
+ - 'CreateProcessWithToken'
+ - 'DuplicateRokenEx'
+ - 'OpenWindowStation'
+ - 'OpenDesktop'
+ - 'MiniDumpWrireDump'
+ - 'AddSecurityPackage'
+ - 'EnumerateSecurityPackages'
+ - 'GetProcessHandle'
+ - 'DangerousGetHandle'
+ - 'Kernel32'
+ - 'Advapi32'
+ - 'Msvcrt'
+ - 'ntdll'
+ - 'User32'
+ - 'Secur32'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
index 11cb82fbf27..6346854c7e4 100644
--- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
@@ -1,15 +1,31 @@
+action: global
title: Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/08/11
+modified: 2021/06/01
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
+falsepositives:
+ - Programs using PowerShell directly without invocation of a dedicated interpreter
+ - MSP Detection Searcher
+ - Citrix ConfigSync.ps1
+level: medium
+detection:
+ filter:
+ - ContextInfo: 'powershell.exe'
+ - Message: 'powershell.exe'
+ # Both fields contain key=value pairs where the key HostApplication is relevant but
+ # can't be referred directly as event field.
+ condition: selection and not filter
+
+---
logsource:
product: windows
service: powershell
@@ -17,16 +33,13 @@ detection:
selection:
EventID:
- 4103
- - 400
ContextInfo: '*'
- filter:
- - ContextInfo: 'powershell.exe'
- - Message: 'powershell.exe'
- # Both fields contain key=value pairs where the key HostApplication is relevant but
- # can't be referred directly as event field.
- condition: selection and not filter
-falsepositives:
- - Programs using PowerShell directly without invocation of a dedicated interpreter
- - MSP Detection Searcher
- - Citrix ConfigSync.ps1
-level: medium
+---
+logsource:
+ product: windows
+ service: powershell-classic
+detection:
+ selection:
+ EventID:
+ - 400
+ ContextInfo: '*'
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml
new file mode 100644
index 00000000000..0479fcd143b
--- /dev/null
+++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml
@@ -0,0 +1,42 @@
+title: Bad Opsec Powershell Code Artifacts
+id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
+status: experimental
+references:
+ - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
+ - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
+ - https://www.mdeditor.tw/pl/pgRt
+author: 'ok @securonix invrep_de, oscd.community'
+date: 2020/10/09
+modified: 2020/10/09
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.t1086
+logsource:
+ product: windows
+ service: powershell
+ definition: 'Script block logging must be enabled'
+detection:
+ selection_4104:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - '$DoIt'
+ - 'harmj0y'
+ - 'mattifestation'
+ - '_RastaMouse'
+ - 'tifkin_'
+ - '0xdeadbeef'
+ selection_4103:
+ EventID: 4103
+ Payload|contains:
+ - '$DoIt'
+ - 'harmj0y'
+ - 'mattifestation'
+ - '_RastaMouse'
+ - 'tifkin_'
+ - '0xdeadbeef'
+ condition: selection_4104 or selection_4103
+falsepositives:
+ - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
+level: critical
diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml
index b2249b79b3b..695c01d00d3 100644
--- a/rules/windows/powershell/powershell_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_clear_powershell_history.yml
@@ -3,7 +3,8 @@ id: dfba4ce1-e0ea-495f-986e-97140f31af2d
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
-author: Ilyas Ochkov, oscd.community
+modified: 2020/11/28
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
@@ -14,12 +15,36 @@ logsource:
product: windows
service: powershell
detection:
- keywords:
- - 'del (Get-PSReadlineOption).HistorySavePath'
- - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing'
- - 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
- - 'rm (Get-PSReadlineOption).HistorySavePath'
- condition: keywords
+ selection_1:
+ EventID: 4104
+ selection_2:
+ ScriptBlockText|contains:
+ - 'del'
+ - 'Remove-Item'
+ - 'rm'
+ ScriptBlockText|contains|all:
+ - '(Get-PSReadlineOption).HistorySavePath'
+ selection_3:
+ ScriptBlockText|contains|all:
+ - 'Set-PSReadlineOption'
+ - '–HistorySaveStyle'
+ - 'SaveNothing'
+ selection_4:
+ EventID: 4103
+ selection_5:
+ Payload|contains:
+ - 'del'
+ - 'Remove-Item'
+ - 'rm'
+ Payload|contains|all:
+ - '(Get-PSReadlineOption).HistorySavePath'
+ selection_6:
+ Payload|contains|all:
+ - 'Set-PSReadlineOption'
+ - '–HistorySaveStyle'
+ - 'SaveNothing'
+ condition: selection_1 and ( selection_2 or selection_3 ) or
+ selection_4 and ( selection_5 or selection_6 )
falsepositives:
- - some PS-scripts
+ - Legitimate PowerShell scripts
level: medium
diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml
new file mode 100644
index 00000000000..a652304e2b8
--- /dev/null
+++ b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml
@@ -0,0 +1,51 @@
+title: Suspicious PowerShell Cmdline
+id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
+description: Detects the PowerShell command lines with reversed strings
+status: experimental
+references:
+ - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'hctac'
+ - 'kearb'
+ - 'dnammoc'
+ - 'ekovn'
+ - 'eliFd'
+ - 'rahc'
+ - 'etirw'
+ - 'golon'
+ - 'tninon'
+ - 'eddih'
+ - 'tpircS'
+ - 'ssecorp'
+ - 'llehsrewop'
+ - 'esnopser'
+ - 'daolnwod'
+ - 'tneilCbeW'
+ - 'tneilc'
+ - 'ptth'
+ - 'elifotevas'
+ - '46esab'
+ - 'htaPpmeTteG'
+ - 'tcejbO'
+ - 'maerts'
+ - 'hcaerof'
+ - 'ekovni'
+ - 'retupmoc'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml
new file mode 100644
index 00000000000..d4c131fb2f5
--- /dev/null
+++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml
@@ -0,0 +1,36 @@
+title: Suspicious PowerShell Command Line
+id: d7bcd677-645d-4691-a8d4-7a5602b780d1
+description: Detects the PowerShell command lines with special characters
+status: experimental
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/15
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*'
+ selection2:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*'
+ selection3:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*{.*{.*{.*{.*{.*'
+ selection4:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*'
+ selection5:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*`.*`.*`.*`.*`.*'
+ condition: selection1 or selection2 or selection3 or selection4 or selection5
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
new file mode 100644
index 00000000000..6bfa956eee5
--- /dev/null
+++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
@@ -0,0 +1,55 @@
+title: Encoded PowerShell Command Line
+id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
+description: Detects specific combinations of encoding methods in the PowerShell command lines
+status: experimental
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'char'
+ - 'join'
+ selection2:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'ToInt'
+ - 'ToDecimal'
+ - 'ToByte'
+ - 'ToUint'
+ - 'ToSingle'
+ - 'ToSByte'
+ selection3:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'ToChar'
+ - 'ToString'
+ - 'String'
+ selection4:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'split'
+ - 'join'
+ selection5:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'ForEach'
+ - 'Xor'
+ selection6:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'cOnvErTTO-SECUreStRIng'
+ condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6
+falsepositives:
+ - Unlikely
+level: medium
diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml
new file mode 100644
index 00000000000..829a9dba8a9
--- /dev/null
+++ b/rules/windows/powershell/powershell_code_injection.yml
@@ -0,0 +1,22 @@
+title: Accessing WinAPI in PowerShell. Code Injection.
+id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
+status: experimental
+description: Detecting Code injection with PowerShell in another process
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ category: create_remote_thread
+ definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
+detection:
+ selection:
+ SourceImage|endswith: '\powershell.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml
new file mode 100644
index 00000000000..e5c17ef9c7a
--- /dev/null
+++ b/rules/windows/powershell/powershell_decompress_commands.yml
@@ -0,0 +1,26 @@
+title: PowerShell Decompress Commands
+id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1140
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/8
+ - https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection1:
+ EventID: 4104
+ ScriptBlockText|contains: 'Expand-Archive'
+ selection2:
+ EventID: 4103
+ Payload|contains: 'Expand-Archive'
+ condition: selection1 or selection2
+falsepositives:
+ - unknown
+level: informational
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml
new file mode 100644
index 00000000000..ed6e4d1611a
--- /dev/null
+++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml
@@ -0,0 +1,37 @@
+title: Delete Volume Shadow Copies Via WMI With PowerShell
+id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
+description: Shadow Copies deletion using operating systems utilities via PowerShell
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
+ - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
+ - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
+tags:
+ - attack.impact
+ - attack.t1490
+status: experimental
+author: frack113
+date: 2021/06/03
+logsource:
+ product: windows
+ service: powershell-classic
+detection:
+ selection_obj:
+ CommandLine|contains|all:
+ - 'Get-WmiObject'
+ - ' Win32_Shadowcopy'
+ selection_del:
+ CommandLine|contains:
+ - 'Delete()'
+ - 'Remove-WmiObject'
+ selection_eventid:
+ EventID:
+ - 400
+ - 403
+ - 600
+ condition: selection_obj and selection_del and selection_eventid
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
+level: critical
diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml
index 034b3d02deb..4785ccf2979 100644
--- a/rules/windows/powershell/powershell_exe_calling_ps.yml
+++ b/rules/windows/powershell/powershell_exe_calling_ps.yml
@@ -17,11 +17,11 @@ logsource:
detection:
selection1:
EventID: 400
- EngineVersion:
- - '2.*'
- - '4.*'
- - '5.*'
- HostVersion: '3.*'
+ EngineVersion|startswith:
+ - '2.'
+ - '4.'
+ - '5.'
+ HostVersion|startswith: '3.'
condition: selection1
falsepositives:
- Penetration Tests
diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml
new file mode 100644
index 00000000000..46e8374c66f
--- /dev/null
+++ b/rules/windows/powershell/powershell_get_clipboard.yml
@@ -0,0 +1,26 @@
+title: PowerShell Get Clipboard
+id: 5486f63a-aa4c-488d-9a61-c9192853099f
+description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.collection
+ - attack.t1115
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/16
+ - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection1:
+ EventID: 4104
+ ScriptBlockText|contains: 'Get-Clipboard'
+ selection2:
+ EventID: 4103
+ Payload|contains: 'Get-Clipboard'
+ condition: selection1 or selection2
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml
new file mode 100644
index 00000000000..373f679aacf
--- /dev/null
+++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml
@@ -0,0 +1,25 @@
+title: PowerShell ICMP Exfiltration
+id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
+status: experimental
+description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
+author: 'Bartlomiej Czyz @bczyz1, oscd.community'
+date: 2020/10/10
+tags:
+ - attack.exfiltration
+ - attack.t1048.003
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'New-Object'
+ - 'System.Net.NetworkInformation.Ping'
+ - '.Send('
+ condition: selection
+falsepositives:
+ - Legitimate usage of System.Net.NetworkInformation.Ping class
+level: medium
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml
new file mode 100644
index 00000000000..7d9b4abc9af
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+id: 73e67340-0d25-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml
new file mode 100644
index 00000000000..7e2b0ef2d06
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml
new file mode 100644
index 00000000000..9c2ab871f02
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml
new file mode 100644
index 00000000000..365149a58fb
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ condition: 1 of them
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 00000000000..793dc3c1401
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 00000000000..ab358c64291
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Stdin
+id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 00000000000..5f514bc6982
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use Clip
+id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 00000000000..45764546fc0
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use MSHTA
+id: e55a5195-4724-480e-a77e-3ebe64bd3759
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 00000000000..a0abb761654
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
new file mode 100644
index 00000000000..6d19dc2e1af
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: e54f5149-6ba3-49cf-b153-070d24679126
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+ condition: selection_1 or selection_2
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index d75d512ae35..ad4609d8d13 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -8,112 +8,116 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
-author: Sean Metcalf (source), Florian Roth (rule)
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
date: 2017/03/05
+modified: 2020/10/11
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Message:
- - "*Invoke-DllInjection*"
- - "*Invoke-Shellcode*"
- - "*Invoke-WmiCommand*"
- - "*Get-GPPPassword*"
- - "*Get-Keystrokes*"
- - "*Get-TimedScreenshot*"
- - "*Get-VaultCredential*"
- - "*Invoke-CredentialInjection*"
- - "*Invoke-Mimikatz*"
- - "*Invoke-NinjaCopy*"
- - "*Invoke-TokenManipulation*"
- - "*Out-Minidump*"
- - "*VolumeShadowCopyTools*"
- - "*Invoke-ReflectivePEInjection*"
- - "*Invoke-UserHunter*"
- - "*Find-GPOLocation*"
- - "*Invoke-ACLScanner*"
- - "*Invoke-DowngradeAccount*"
- - "*Get-ServiceUnquoted*"
- - "*Get-ServiceFilePermission*"
- - "*Get-ServicePermission*"
- - "*Invoke-ServiceAbuse*"
- - "*Install-ServiceBinary*"
- - "*Get-RegAutoLogon*"
- - "*Get-VulnAutoRun*"
- - "*Get-VulnSchTask*"
- - "*Get-UnattendedInstallFile*"
- - "*Get-ApplicationHost*"
- - "*Get-RegAlwaysInstallElevated*"
- - "*Get-Unconstrained*"
- - "*Add-RegBackdoor*"
- - "*Add-ScrnSaveBackdoor*"
- - "*Gupt-Backdoor*"
- - "*Invoke-ADSBackdoor*"
- - "*Enabled-DuplicateToken*"
- - "*Invoke-PsUaCme*"
- - "*Remove-Update*"
- - "*Check-VM*"
- - "*Get-LSASecret*"
- - "*Get-PassHashes*"
- - "*Show-TargetScreen*"
- - "*Port-Scan*"
- - "*Invoke-PoshRatHttp*"
- - "*Invoke-PowerShellTCP*"
- - "*Invoke-PowerShellWMI*"
- - "*Add-Exfiltration*"
- - "*Add-Persistence*"
- - "*Do-Exfiltration*"
- - "*Start-CaptureServer*"
- - "*Get-ChromeDump*"
- - "*Get-ClipboardContents*"
- - "*Get-FoxDump*"
- - "*Get-IndexedItem*"
- - "*Get-Screenshot*"
- - "*Invoke-Inveigh*"
- - "*Invoke-NetRipper*"
- - "*Invoke-EgressCheck*"
- - "*Invoke-PostExfil*"
- - "*Invoke-PSInject*"
- - "*Invoke-RunAs*"
- - "*MailRaider*"
- - "*New-HoneyHash*"
- - "*Set-MacAttribute*"
- - "*Invoke-DCSync*"
- - "*Invoke-PowerDump*"
- - "*Exploit-Jboss*"
- - "*Invoke-ThunderStruck*"
- - "*Invoke-VoiceTroll*"
- - "*Set-Wallpaper*"
- - "*Invoke-InveighRelay*"
- - "*Invoke-PsExec*"
- - "*Invoke-SSHCommand*"
- - "*Get-SecurityPackages*"
- - "*Install-SSP*"
- - "*Invoke-BackdoorLNK*"
- - "*PowerBreach*"
- - "*Get-SiteListPassword*"
- - "*Get-System*"
- - "*Invoke-BypassUAC*"
- - "*Invoke-Tater*"
- - "*Invoke-WScriptBypassUAC*"
- - "*PowerUp*"
- - "*PowerView*"
- - "*Get-RickAstley*"
- - "*Find-Fruit*"
- - "*HTTP-Login*"
- - "*Find-TrustedDocuments*"
- - "*Invoke-Paranoia*"
- - "*Invoke-WinEnum*"
- - "*Invoke-ARPScan*"
- - "*Invoke-PortScan*"
- - "*Invoke-ReverseDNSLookup*"
- - "*Invoke-SMBScanner*"
- - "*Invoke-Mimikittenz*"
- - "*Invoke-AllChecks*"
+ EventID: 4104
+ ScriptBlockText|contains:
+ - "Invoke-DllInjection"
+ - "Invoke-Shellcode"
+ - "Invoke-WmiCommand"
+ - "Get-GPPPassword"
+ - "Get-Keystrokes"
+ - "Get-TimedScreenshot"
+ - "Get-VaultCredential"
+ - "Invoke-CredentialInjection"
+ - "Invoke-Mimikatz"
+ - "Invoke-NinjaCopy"
+ - "Invoke-TokenManipulation"
+ - "Out-Minidump"
+ - "VolumeShadowCopyTools"
+ - "Invoke-ReflectivePEInjection"
+ - "Invoke-UserHunter"
+ - "Find-GPOLocation"
+ - "Invoke-ACLScanner"
+ - "Invoke-DowngradeAccount"
+ - "Get-ServiceUnquoted"
+ - "Get-ServiceFilePermission"
+ - "Get-ServicePermission"
+ - "Invoke-ServiceAbuse"
+ - "Install-ServiceBinary"
+ - "Get-RegAutoLogon"
+ - "Get-VulnAutoRun"
+ - "Get-VulnSchTask"
+ - "Get-UnattendedInstallFile"
+ - "Get-ApplicationHost"
+ - "Get-RegAlwaysInstallElevated"
+ - "Get-Unconstrained"
+ - "Add-RegBackdoor"
+ - "Add-ScrnSaveBackdoor"
+ - "Gupt-Backdoor"
+ - "Invoke-ADSBackdoor"
+ - "Enabled-DuplicateToken"
+ - "Invoke-PsUaCme"
+ - "Remove-Update"
+ - "Check-VM"
+ - "Get-LSASecret"
+ - "Get-PassHashes"
+ - "Show-TargetScreen"
+ - "Port-Scan"
+ - "Invoke-PoshRatHttp"
+ - "Invoke-PowerShellTCP"
+ - "Invoke-PowerShellWMI"
+ - "Add-Exfiltration"
+ - "Add-Persistence"
+ - "Do-Exfiltration"
+ - "Start-CaptureServer"
+ - "Get-ChromeDump"
+ - "Get-ClipboardContents"
+ - "Get-FoxDump"
+ - "Get-IndexedItem"
+ - "Get-Screenshot"
+ - "Invoke-Inveigh"
+ - "Invoke-NetRipper"
+ - "Invoke-EgressCheck"
+ - "Invoke-PostExfil"
+ - "Invoke-PSInject"
+ - "Invoke-RunAs"
+ - "MailRaider"
+ - "New-HoneyHash"
+ - "Set-MacAttribute"
+ - "Invoke-DCSync"
+ - "Invoke-PowerDump"
+ - "Exploit-Jboss"
+ - "Invoke-ThunderStruck"
+ - "Invoke-VoiceTroll"
+ - "Set-Wallpaper"
+ - "Invoke-InveighRelay"
+ - "Invoke-PsExec"
+ - "Invoke-SSHCommand"
+ - "Get-SecurityPackages"
+ - "Install-SSP"
+ - "Invoke-BackdoorLNK"
+ - "PowerBreach"
+ - "Get-SiteListPassword"
+ - "Get-System"
+ - "Invoke-BypassUAC"
+ - "Invoke-Tater"
+ - "Invoke-WScriptBypassUAC"
+ - "PowerUp"
+ - "PowerView"
+ - "Get-RickAstley"
+ - "Find-Fruit"
+ - "HTTP-Login"
+ - "Find-TrustedDocuments"
+ - "Invoke-Paranoia"
+ - "Invoke-WinEnum"
+ - "Invoke-ARPScan"
+ - "Invoke-PortScan"
+ - "Invoke-ReverseDNSLookup"
+ - "Invoke-SMBScanner"
+ - "Invoke-Mimikittenz"
+ - "Invoke-AllChecks"
false_positives:
- - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+ EventID: 4104
+ ScriptBlockText|contains:
+ - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives
falsepositives:
- Penetration testing
diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml
index bf8809959ad..f46ce60b32c 100644
--- a/rules/windows/powershell/powershell_malicious_keywords.yml
+++ b/rules/windows/powershell/powershell_malicious_keywords.yml
@@ -16,27 +16,27 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Message:
- - "*AdjustTokenPrivileges*"
- - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*"
- - "*Microsoft.Win32.UnsafeNativeMethods*"
- - "*ReadProcessMemory.Invoke*"
- - "*SE_PRIVILEGE_ENABLED*"
- - "*LSA_UNICODE_STRING*"
- - "*MiniDumpWriteDump*"
- - "*PAGE_EXECUTE_READ*"
- - "*SECURITY_DELEGATION*"
- - "*TOKEN_ADJUST_PRIVILEGES*"
- - "*TOKEN_ALL_ACCESS*"
- - "*TOKEN_ASSIGN_PRIMARY*"
- - "*TOKEN_DUPLICATE*"
- - "*TOKEN_ELEVATION*"
- - "*TOKEN_IMPERSONATE*"
- - "*TOKEN_INFORMATION_CLASS*"
- - "*TOKEN_PRIVILEGES*"
- - "*TOKEN_QUERY*"
- - "*Metasploit*"
- - "*Mimikatz*"
+ Message|contains:
+ - "AdjustTokenPrivileges"
+ - "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
+ - "Microsoft.Win32.UnsafeNativeMethods"
+ - "ReadProcessMemory.Invoke"
+ - "SE_PRIVILEGE_ENABLED"
+ - "LSA_UNICODE_STRING"
+ - "MiniDumpWriteDump"
+ - "PAGE_EXECUTE_READ"
+ - "SECURITY_DELEGATION"
+ - "TOKEN_ADJUST_PRIVILEGES"
+ - "TOKEN_ALL_ACCESS"
+ - "TOKEN_ASSIGN_PRIMARY"
+ - "TOKEN_DUPLICATE"
+ - "TOKEN_ELEVATION"
+ - "TOKEN_IMPERSONATE"
+ - "TOKEN_INFORMATION_CLASS"
+ - "TOKEN_PRIVILEGES"
+ - "TOKEN_QUERY"
+ - "Metasploit"
+ - "Mimikatz"
condition: keywords
falsepositives:
- Penetration tests
diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
index 52573917f20..21547f4dd25 100644
--- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
@@ -3,6 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: experimental
description: Detects Commandlet names and arguments from the Nishang exploitation framework
date: 2019/05/16
+modified: 2021/04/23
references:
- https://github.com/samratashok/nishang
tags:
@@ -78,7 +79,7 @@ detection:
- DataToEncode
- LoggedKeys
- OUT-DNSTXT
- - Jitter
+ # - Jitter # Prone to FPs
- ExfilOption
- DumpCerts
- DumpCreds
diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
new file mode 100644
index 00000000000..c442d4fae45
--- /dev/null
+++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
@@ -0,0 +1,98 @@
+title: Malicious PowerView PowerShell Commandlets
+id: dcd74b95-3f36-4ed9-9598-0490951643aa
+status: experimental
+description: Detects Commandlet names from PowerView of PowerSploit exploitation framework
+date: 2021/05/18
+references:
+ - https://powersploit.readthedocs.io/en/stable/Recon/README
+ - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
+ - https://thedfirreport.com/2020/10/08/ryuks-return
+tags:
+ - attack.execution
+ - attack.t1059.001
+author: Bhabesh Raj
+logsource:
+ product: windows
+ service: powershell
+ definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText:
+ - Export-PowerViewCSV
+ - Resolve-IPAddress
+ - ConvertTo-SID
+ - Convert-ADName
+ - ConvertFrom-UACValue
+ - Add-RemoteConnection
+ - Remove-RemoteConnection
+ - Invoke-UserImpersonation
+ - Invoke-RevertToSelf
+ - Get-DomainSPNTicket
+ - Invoke-Kerberoast
+ - Get-PathAcl
+ - Get-DomainDNSZone
+ - Get-DomainDNSRecord
+ - Get-Domain
+ - Get-DomainController
+ - Get-Forest
+ - Get-ForestDomain
+ - Get-ForestGlobalCatalog
+ - Find-DomainObjectPropertyOutlier
+ - Get-DomainUser
+ - New-DomainUser
+ - Set-DomainUserPassword
+ - Get-DomainUserEvent
+ - Get-DomainComputer
+ - Get-DomainObject
+ - Set-DomainObject
+ - Get-DomainObjectAcl
+ - Add-DomainObjectAcl
+ - Find-InterestingDomainAcl
+ - Get-DomainOU
+ - Get-DomainSite
+ - Get-DomainSubnet
+ - Get-DomainSID
+ - Get-DomainGroup
+ - New-DomainGroup
+ - Get-DomainManagedSecurityGroup
+ - Get-DomainGroupMember
+ - Add-DomainGroupMember
+ - Get-DomainFileServer
+ - Get-DomainDFSShare
+ - Get-DomainGPO
+ - Get-DomainGPOLocalGroup
+ - Get-DomainGPOUserLocalGroupMapping
+ - Get-DomainGPOComputerLocalGroupMapping
+ - Get-DomainPolicy
+ - Get-NetLocalGroup
+ - Get-NetLocalGroupMember
+ - Get-NetShare
+ - Get-NetLoggedon
+ - Get-NetSession
+ - Get-RegLoggedOn
+ - Get-NetRDPSession
+ - Test-AdminAccess
+ - Get-NetComputerSiteName
+ - Get-WMIRegProxy
+ - Get-WMIRegLastLoggedOn
+ - Get-WMIRegCachedRDPConnection
+ - Get-WMIRegMountedDrive
+ - Get-WMIProcess
+ - Find-InterestingFile
+ - Find-DomainUserLocation
+ - Find-DomainProcess
+ - Find-DomainUserEvent
+ - Find-DomainShare
+ - Find-InterestingDomainShareFile
+ - Find-LocalAdminAccess
+ - Find-DomainLocalGroupMember
+ - Get-DomainTrust
+ - Get-ForestTrust
+ - Get-DomainForeignUser
+ - Get-DomainForeignGroupMember
+ - Get-DomainTrustMapping
+ condition: selection
+falsepositives:
+ - Should not be any as administrators do not use this tool
+level: high
diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml
index f5601ce9795..4513b1dd2c4 100644
--- a/rules/windows/powershell/powershell_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_prompt_credentials.yml
@@ -20,8 +20,8 @@ detection:
selection:
EventID: 4104
keyword:
- Message:
- - '*PromptForCredential*'
+ Message|contains:
+ - 'PromptForCredential'
condition: all of them
falsepositives:
- Unknown
diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml
index 710a4a9313d..80f74507d0b 100644
--- a/rules/windows/powershell/powershell_remote_powershell_session.yml
+++ b/rules/windows/powershell/powershell_remote_powershell_session.yml
@@ -6,7 +6,7 @@ date: 2019/08/10
modified: 2020/08/24
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml
index dcd835dcfb9..ba269aca2c0 100644
--- a/rules/windows/powershell/powershell_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_shellcode_b64.yml
@@ -13,7 +13,7 @@ tags:
- attack.t1086 #an old one
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
-modified: 2020/08/24
+modified: 2020/12/01
logsource:
product: windows
service: powershell
@@ -21,12 +21,12 @@ logsource:
detection:
selection:
EventID: 4104
- keyword1:
- - '*AAAAYInlM*'
- keyword2:
- - '*OiCAAAAYInlM*'
- - '*OiJAAAAYInlM*'
- condition: selection and keyword1 and keyword2
+ ScriptBlockText|contains: 'AAAAYInlM'
+ selection2:
+ ScriptBlockText|contains:
+ - 'OiCAAAAYInlM'
+ - 'OiJAAAAYInlM'
+ condition: selection and selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml
new file mode 100644
index 00000000000..ac4077fdb80
--- /dev/null
+++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml
@@ -0,0 +1,25 @@
+title: Suspicious Export-PfxCertificate
+id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
+status: experimental
+description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines
+references:
+ - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
+ - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
+tags:
+ - attack.credential_access
+ - attack.t1552.004
+author: Florian Roth
+date: 2021/04/23
+logsource:
+ product: windows
+ service: powershell
+ definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+detection:
+ keywords:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - "Export-PfxCertificate"
+ condition: keywords
+falsepositives:
+ - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
+level: high
diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml
new file mode 100644
index 00000000000..cb8754e2128
--- /dev/null
+++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml
@@ -0,0 +1,24 @@
+title: PowerShell Get-Process LSASS in ScriptBlock
+id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
+status: experimental
+description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
+references:
+ - https://twitter.com/PythonResponder/status/1385064506049630211
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+author: Florian Roth
+date: 2021/04/23
+logsource:
+ product: windows
+ service: powershell
+ definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+detection:
+ keywords:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'Get-Process lsass'
+ condition: keywords
+falsepositives:
+ - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
+level: high
diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
index 42b151a2cf0..97833fc3eb1 100644
--- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
@@ -6,21 +6,57 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
-author: Florian Roth (rule)
+author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
logsource:
product: windows
service: powershell
detection:
- keywords:
- Message:
- - '* -nop -w hidden -c * [Convert]::FromBase64String*'
- - '* -w hidden -noni -nop -c "iex(New-Object*'
- - '* -w hidden -ep bypass -Enc*'
- - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*'
- - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'
- - '*iex(New-Object Net.WebClient).Download*'
- condition: keywords
+ convert_b64:
+ Message|contains|all:
+ - '-nop'
+ - ' -w '
+ - 'hidden'
+ - ' -c '
+ - '[Convert]::FromBase64String'
+ iex_selection:
+ Message|contains|all:
+ - ' -w '
+ - 'hidden'
+ - '-noni'
+ - '-nop'
+ - ' -c '
+ - 'iex'
+ - 'New-Object'
+ enc_selection:
+ Message|contains|all:
+ - ' -w '
+ - 'hidden'
+ - '-ep'
+ - 'bypass'
+ - '-Enc'
+ reg_selection:
+ Message|contains|all:
+ - 'powershell'
+ - 'reg'
+ - 'add'
+ - 'HKCU\software\microsoft\windows\currentversion\run'
+ webclient_selection:
+ Message|contains|all:
+ - 'bypass'
+ - '-noprofile'
+ - '-windowstyle'
+ - 'hidden'
+ - 'new-object'
+ - 'system.net.webclient'
+ - '.download'
+ iex_webclient:
+ Message|contains|all:
+ - 'iex'
+ - 'New-Object'
+ - 'Net.WebClient'
+ - '.Download'
+ condition: 1 of them
falsepositives:
- Penetration tests
level: high
diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml
index fee94896589..c363bf38731 100644
--- a/rules/windows/powershell/powershell_suspicious_keywords.yml
+++ b/rules/windows/powershell/powershell_suspicious_keywords.yml
@@ -3,11 +3,13 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: experimental
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
date: 2019/02/11
+modified: 2021/06/10
author: Florian Roth, Perez Diego (@darkquassar)
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
+ - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
tags:
- attack.execution
- attack.t1059.001
@@ -26,6 +28,10 @@ detection:
- "Reflection.Emit.AssemblyBuilderAccess"
- "Runtime.InteropServices.DllImportAttribute"
- "SuspendThread"
+ - "rundll32"
+ - "FromBase64"
+ - "Invoke-WMIMethod"
+ - "http://127.0.0.1"
condition: keywords
falsepositives:
- Penetration tests
diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml
new file mode 100644
index 00000000000..f0ca3127ef8
--- /dev/null
+++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml
@@ -0,0 +1,24 @@
+title: PowerShell Deleted Mounted Share
+id: 66a4d409-451b-4151-94f4-a55d559c49b0
+status: experimental
+description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/08
+tags:
+ - attack.defense_evasion
+ - attack.t1070.005
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'Remove-SmbShare'
+ - 'Remove-FileShare'
+ condition: selection
+falsepositives:
+ - Administrators or Power users may remove their shares via cmd line
+level: medium
diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml
index d1bb7343c15..e07a660adcf 100644
--- a/rules/windows/powershell/powershell_suspicious_profile_create.yml
+++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml
@@ -9,10 +9,8 @@ date: 2019/10/24
modified: 2020/08/24
logsource:
product: windows
- service: sysmon
+ category: file_event
detection:
- event:
- EventID: 11
target1:
TargetFilename|contains|all:
- '\My Documents\PowerShell\'
@@ -21,7 +19,7 @@ detection:
TargetFilename|contains|all:
- 'C:\Windows\System32\WindowsPowerShell\v1.0\'
- '\profile.ps1'
- condition: event and (target1 or target2)
+ condition: target1 or target2
falsepositives:
- System administrator create Powershell profile manually
level: high
diff --git a/rules/windows/powershell/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_tamper_with_windows_defender.yml
new file mode 100644
index 00000000000..4e4e4dcc420
--- /dev/null
+++ b/rules/windows/powershell/powershell_tamper_with_windows_defender.yml
@@ -0,0 +1,29 @@
+title: Tamper Windows Defender
+id: ec19ebab-72dc-40e1-9728-4c0b805d722c
+description: Attempting to disable scheduled scanning and other parts of windows defender atp.
+status: experimental
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+author: frack113
+date: 2021/06/07
+falsepositives:
+ - Unknown
+level: high
+logsource:
+ product: windows
+ category: powershell-classic
+detection:
+ select_EventID:
+ EventID: 600
+ tamper_ps_action:
+ HostApplication|contains: 'Set-MpPreference'
+ tamper_ps_option:
+ HostApplication|contains:
+ - '-DisableRealtimeMonitoring 1'
+ - '-DisableBehaviorMonitoring 1'
+ - '-DisableScriptScanning 1'
+ - '-DisableBlockAtFirstSeen 1'
+ condition: select_EventID and tamper_ps_action and tamper_ps_option
diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml
index 87e162bd489..9555ba0d501 100644
--- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml
+++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml
@@ -4,6 +4,7 @@ status: experimental
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
+modified: 2020/12/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
logsource:
@@ -13,12 +14,12 @@ logsource:
detection:
selection:
EventID: 4104
- keyword1:
- - '*Set-ItemProperty*'
- - '*New-Item*'
- keyword2:
- - '*CurrentVersion\Winlogon*'
- condition: selection and ( keyword1 and keyword2 )
+ ScriptBlockText|contains: 'CurrentVersion\Winlogon'
+ selection2:
+ ScriptBlockText|contains:
+ - 'Set-ItemProperty'
+ - 'New-Item'
+ condition: selection and selection2
falsepositives:
- Unknown
level: medium
diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml
new file mode 100644
index 00000000000..b659542894d
--- /dev/null
+++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml
@@ -0,0 +1,28 @@
+title: Suspicious Non PowerShell WSMAN COM Provider
+id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
+description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
+status: experimental
+date: 2020/06/24
+modified: 2021/05/21
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.lateral_movement
+ - attack.t1021.003
+references:
+ - https://twitter.com/chadtilbury/status/1275851297770610688
+ - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+ - https://github.com/bohops/WSMan-WinRM
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ Message|contains: 'ProviderName=WSMan'
+ filter:
+ Message|contains: 'HostApplication=*powershell'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_access/sysmon_cmstp_execution.yml b/rules/windows/process_access/sysmon_cmstp_execution.yml
index 4a6f4f4bcc3..745d8b86df3 100755
--- a/rules/windows/process_access/sysmon_cmstp_execution.yml
+++ b/rules/windows/process_access/sysmon_cmstp_execution.yml
@@ -14,7 +14,7 @@ tags:
- car.2019-04-001
author: Nik Seetharaman
date: 2018/07/16
-modified: 2020/12/23
+modified: 2021/06/27
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
fields:
@@ -30,5 +30,5 @@ logsource:
detection:
# Process Access Call Trace
selection:
- CallTrace: '*cmlua.dll*'
+ CallTrace|contains: 'cmlua.dll'
condition: selection
diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
index ab1bd80de22..dfaf68fcc00 100755
--- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
oscd.community (update)
date: 2017/02/16
-modified: 2020/08/24
+modified: 2021/05/16
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -44,6 +44,7 @@ detection:
- '\procexp64.exe'
- '\procexp.exe'
- '\lsm.exe'
+ - '\MsMpEng.exe'
- '\csrss.exe'
- '\wininit.exe'
- '\vmtoolsd.exe'
diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 6606314d4f7..50b71bbea23 100755
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -7,8 +7,8 @@ description: Detects the access to processes by other suspicious processes which
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 2019/10/27
-modified: 2020/08/24
-author: Perez Diego (@darkquassar), oscd.community
+modified: 2021/05/16
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
tags:
@@ -21,12 +21,19 @@ logsource:
category: process_access
product: windows
detection:
- selection1:
- CallTrace:
- - "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)"
- - "*UNKNOWN(*)|UNKNOWN(*)"
- selection2:
- CallTrace: "*UNKNOWN*"
+ selection1:
+ CallTrace|contains|all:
+ - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
+ - '|C:\\Windows\\System32\\KERNELBASE.dll+'
+ - '|UNKNOWN('
+ - ')'
+ selection2:
+ CallTrace|contains|all:
+ - "UNKNOWN("
+ - ")|UNKNOWN("
+ CallTrace|endswith: ")"
+ selection3:
+ CallTrace|contains: "UNKNOWN"
granted_access:
GrantedAccess:
- "0x1F0FFF"
@@ -37,7 +44,10 @@ detection:
- "0x1F2FFF"
- "0x1F3FFF"
- "0x1FFFFF"
- condition: selection1 OR (selection2 AND granted_access)
+ filter:
+ SourceImage|endswith:
+ - '\Windows\System32\sdiagnhost.exe'
+ condition: (selection1 or selection2) or (selection3 and granted_access) and not filter
fields:
- ComputerName
- User
diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
index bbcf116aed3..f779354d670 100755
--- a/rules/windows/process_access/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -17,10 +17,10 @@ logsource:
product: windows
detection:
selection:
- TargetImage: '*\windows\system32\svchost.exe'
+ TargetImage|endswith: '\windows\system32\svchost.exe'
GrantedAccess: '0x1f3fff'
- CallTrace:
- - '*unknown*'
+ CallTrace|contains:
+ - 'unknown'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
index 2b57d3b480f..bbeede22936 100644
--- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
@@ -3,7 +3,7 @@ id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
description: Detects LSASS process access by LaZagne for credential dumping.
status: stable
date: 2020/09/09
-author: Bhabesh Raj
+author: Bhabesh Raj, Jonhnathan Ribeiro
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
tags:
@@ -15,8 +15,12 @@ logsource:
product: windows
detection:
selection:
- TargetImage: '*\lsass.exe'
- CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*"
+ TargetImage|endswith: '\lsass.exe'
+ CallTrace|contains|all:
+ - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
+ - '|C:\\Windows\\System32\\KERNELBASE.dll+'
+ - '_ctypes.pyd+'
+ - 'python27.dll+'
GrantedAccess: "0x1FFFFF"
condition: selection
level: critical
diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
new file mode 100644
index 00000000000..703f86b32c9
--- /dev/null
+++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
@@ -0,0 +1,29 @@
+title: Load Undocumented Autoelevated COM Interface
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+status: experimental
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+references:
+ - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ CallTrace|contains: 'editionupgrademanagerobj.dll'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - SourceImage
+ - TargetImage
+ - CallTrace
+falsepositives:
+ - unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
new file mode 100755
index 00000000000..fd893e140a4
--- /dev/null
+++ b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
@@ -0,0 +1,25 @@
+title: Lsass Memory Dump via Comsvcs DLL
+id: a49fa4d5-11db-418c-8473-1e014a8dd462
+description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
+status: experimental
+date: 2020/10/20
+modified: 2021/06/21
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+references:
+ - https://twitter.com/shantanukhande/status/1229348874298388484
+ - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ TargetImage|endswith: '\lsass.exe'
+ SourceImage: 'C:\Windows\System32\rundll32.exe'
+ CallTrace|contains: 'comsvcs.dll'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml
index 778afd9bce8..4eb8b34b203 100755
--- a/rules/windows/process_access/sysmon_lsass_memdump.yml
+++ b/rules/windows/process_access/sysmon_lsass_memdump.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
author: Samir Bousseaden
date: 2019/04/03
-modified: 2020/08/24
+modified: 2021/06/21
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
tags:
@@ -17,11 +17,11 @@ logsource:
product: windows
detection:
selection:
- TargetImage: 'C:\windows\system32\lsass.exe'
+ TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1fffff'
- CallTrace:
- - '*dbghelp.dll*'
- - '*dbgcore.dll*'
+ CallTrace|contains:
+ - 'dbghelp.dll'
+ - 'dbgcore.dll'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
index 2224ad19f53..55855b3bcf2 100755
--- a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
+++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
@@ -16,13 +16,15 @@ logsource:
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
selection:
- TargetImage: '*\verclsid.exe'
+ TargetImage|endswith: '\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
- CallTrace: '*|UNKNOWN(*VBE7.DLL*'
+ CallTrace|contains|all:
+ - '|UNKNOWN('
+ - 'VBE7.DLL'
combination2:
- SourceImage: '*\Microsoft Office\\*'
- CallTrace: '*|UNKNOWN*'
+ SourceImage|contains: '\Microsoft Office\'
+ CallTrace|contains: '|UNKNOWN'
condition: selection and 1 of combination*
falsepositives:
- unknown
diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
index c679f7ab740..c433c22d656 100755
--- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
+++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
@@ -6,13 +6,13 @@ references:
status: stable
author: Patryk Prauze - ING Tech
date: 2019/05/20
-modified: 2020/08/24
+modified: 2021/06/21
logsource:
category: process_access
product: windows
detection:
selection:
- TargetImage: 'C:\windows\system32\lsass.exe'
+ TargetImage|endswith: '\lsass.exe'
SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
condition: selection
tags:
diff --git a/rules/windows/process_access/sysmon_svchost_cred_dump.yml b/rules/windows/process_access/sysmon_svchost_cred_dump.yml
new file mode 100644
index 00000000000..f8d2863540c
--- /dev/null
+++ b/rules/windows/process_access/sysmon_svchost_cred_dump.yml
@@ -0,0 +1,23 @@
+title: SVCHOST Credential Dump
+id: 174afcfa-6e40-4ae9-af64-496546389294
+description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials
+date: 2021/04/30
+author: Florent Labouyrie
+logsource:
+ product: windows
+ category: process_access
+tags:
+ - attack.t1548
+detection:
+ selection_process:
+ TargetImage|endswith: '\svchost.exe'
+ selection_memory:
+ GrantedAccess: '0x143a'
+ filter_trusted_process_access:
+ SourceImage|endswith:
+ - '*\services.exe'
+ - '*\msiexec.exe'
+ condition: selection_process and selection_memory and not filter_trusted_process_access
+falsepositives:
+ - Non identified legit exectubale
+level: critical
diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml
new file mode 100644
index 00000000000..44e421b3528
--- /dev/null
+++ b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml
@@ -0,0 +1,31 @@
+title: Suspicious Shells Spawn by WinRM
+id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
+description: Detects suspicious shell spawn from WinRM host process
+status: experimental
+author: Andreas Hunkeler (@Karneades), Markus Neis
+date: 2021/05/20
+modified: 2021/05/22
+tags:
+ - attack.t1190
+ - attack.initial_access
+ - attack.persistence
+ - attack.privilege_escalation
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage: '*\wsmprovhost.exe'
+ Image:
+ - '*\cmd.exe'
+ - '*\sh.exe'
+ - '*\bash.exe'
+ - '*\powershell.exe'
+ - '*\schtasks.exe'
+ - '*\certutil.exe'
+ - '*\whoami.exe'
+ - '*\bitsadmin.exe'
+ condition: selection
+falsepositives:
+ - Legitimate WinRM usage
+level: high
diff --git a/rules/windows/process_creation/process_creation_SDelete.yml b/rules/windows/process_creation/process_creation_SDelete.yml
new file mode 100644
index 00000000000..78d44427308
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_SDelete.yml
@@ -0,0 +1,32 @@
+title: Sysinternals SDelete Delete File
+id: a4824fca-976f-4964-b334-0621379e84c4
+status: experimental
+author: frack113
+date: 2021/06/03
+description: Use of SDelete to erase a file not the free space
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
+tags:
+ - attack.impact
+ - attack.t1485
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ OriginalFileName: sdelete.exe
+ filter:
+ CommandLine|contains:
+ - ' -h'
+ - ' -c'
+ - ' -z'
+ - ' /?'
+ condition: selection and not filter
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - System administrator Usage
+level: medium
diff --git a/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml
new file mode 100644
index 00000000000..5289718b6c3
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml
@@ -0,0 +1,24 @@
+title: F-Secure C3 Load by Rundll32
+status: experimental
+id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
+author: Alfie Champion (ajpc500)
+date: 2021/06/02
+description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
+references:
+ - https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'rundll32.exe'
+ - '.dll'
+ - 'StartNodeRelay'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
new file mode 100644
index 00000000000..580898f694f
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
@@ -0,0 +1,26 @@
+title: CobaltStrike Load by Rundll32
+status: experimental
+id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
+author: Wojciech Lesicki
+date: 2021/06/01
+description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
+references:
+ - https://www.cobaltstrike.com/help-windows-executable
+ - https://redcanary.com/threat-detection-report/
+ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'rundll32.exe'
+ - '.dll'
+ - 'StartW'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml
new file mode 100644
index 00000000000..1c7b2054c7c
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_dotnet.yml
@@ -0,0 +1,33 @@
+title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
+status: experimental
+id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: dotnet.exe will execute any DLL and execute unsigned code
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
+ - https://twitter.com/_felamos/status/1204705548668555264
+ - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+tags:
+ - attack.execution
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|endswith:
+ - '.dll'
+ - '.csproj'
+ Image|endswith:
+ - '\dotnet.exe'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: medium
diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml
new file mode 100644
index 00000000000..08b58676238
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_msdeploy.yml
@@ -0,0 +1,34 @@
+title: Execute Files with Msdeploy.exe
+status: experimental
+id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: Detects file execution using the msdeploy.exe lolbin
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
+ - https://twitter.com/pabraeken/status/995837734379032576
+ - https://twitter.com/pabraeken/status/999090532839313408
+tags:
+ - attack.execution
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'verb:sync'
+ - '-source:RunCommand'
+ - '-dest:runCommand'
+ Image|endswith:
+ - '\msdeploy.exe'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: medium
diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
new file mode 100644
index 00000000000..399103d253e
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
@@ -0,0 +1,44 @@
+title: Abused Debug Privilege by Arbitrary Parent Processes
+id: d522eca2-2973-4391-a3e0-ef0374321dae
+status: experimental
+description: Detection of unusual child processes by different system processes
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
+date: 2020/10/28
+tags:
+ - attack.privilege_escalation
+ - attack.t1548
+author: 'Semanur Guneysu @semanurtg, oscd.community'
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection1:
+ ParentImage|endswith:
+ - '\winlogon.exe'
+ - '\services.exe'
+ - '\lsass.exe'
+ - '\csrss.exe'
+ - '\smss.exe'
+ - '\wininit.exe'
+ - '\spoolsv.exe'
+ - '\searchindexer.exe'
+ selection2:
+ Image|endswith:
+ - '\powershell.exe'
+ - '\cmd.exe'
+ selection3:
+ User: 'NT AUTHORITY\SYSTEM'
+ filter:
+ CommandLine|contains|all:
+ - ' route '
+ - ' ADD '
+ condition: selection1 and selection2 and selection3 and not filter
+fields:
+ - ParentImage
+ - Image
+ - User
+ - CommandLine
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
new file mode 100644
index 00000000000..0f53941d23d
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
@@ -0,0 +1,30 @@
+title: Accesschk Usage After Privilege Escalation
+id: c625d754-6a3d-4f65-9c9a-536aea960d37
+description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
+tags:
+ - attack.discovery
+ - attack.t1069.001
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ integrity_level:
+ IntegrityLevel: 'Medium'
+ product:
+ Product|endswith: 'AccessChk'
+ description:
+ Description|contains: 'Reports effective permissions'
+ condition: integrity_level and (product or description)
+fields:
+ - IntegrityLevel
+ - Product
+ - Description
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: high
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
new file mode 100644
index 00000000000..73a21e2954b
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
@@ -0,0 +1,32 @@
+title: Always Install Elevated MSI Spawned Cmd And Powershell
+id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
+description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ image:
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ parent_image:
+ ParentImage|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ ParentImage|endswith:
+ - 'tmp'
+ condition: image and parent_image
+fields:
+ - Image
+ - ParentImage
+falsepositives:
+ - Penetration test
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
new file mode 100644
index 00000000000..cd2d7a6d611
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
@@ -0,0 +1,35 @@
+title: MSI Spawned Cmd and Powershell Spawned Processes
+id: 38cf8340-461b-4857-bf99-23a41f772b18
+description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ parent_image:
+ ParentImage|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ parent_of_parent_image:
+ ParentOfParentImage|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ ParentOfParentImage|endswith:
+ - 'tmp'
+ condition: parent_image and parent_of_parent_image
+fields:
+ - ParentImage
+ - ParentOfParentImage
+falsepositives:
+ - Penetration test
+level: high
+enrichment:
+ - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
+ - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
new file mode 100644
index 00000000000..8d89e217bb0
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -0,0 +1,37 @@
+title: Always Install Elevated Windows Installer
+id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
+description: This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ integrity_level:
+ IntegrityLevel: 'System'
+ user:
+ User: 'NT AUTHORITY\SYSTEM'
+ image_1:
+ Image|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ Image|endswith:
+ - 'tmp'
+ image_2:
+ Image|endswith:
+ - '\msiexec.exe'
+ condition: (image_1 and user) or (image_2 and user and integrity_level)
+fields:
+ - IntegrityLevel
+ - User
+ - Image
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/sysmon_cmstp_execution.yml
similarity index 95%
rename from rules/windows/process_creation/cmstp_execution.yml
rename to rules/windows/process_creation/sysmon_cmstp_execution.yml
index 7ec90b74e90..7a27dc2f245 100644
--- a/rules/windows/process_creation/cmstp_execution.yml
+++ b/rules/windows/process_creation/sysmon_cmstp_execution.yml
@@ -27,5 +27,5 @@ logsource:
detection:
# CMSTP Spawning Child Process
selection:
- ParentImage: '*\cmstp.exe'
+ ParentImage|endswith: '\cmstp.exe'
condition: selection
diff --git a/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml b/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml
new file mode 100644
index 00000000000..837cf20c166
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml
@@ -0,0 +1,24 @@
+title: High Integrity Sdclt Process
+id: 40f9af16-589d-4984-b78d-8c2aec023197
+description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1548.002
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/6
+ - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: 'sdclt.exe'
+ IntegrityLevel: 'High'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
index 2b158b3a319..365be7dcff3 100644
--- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -16,17 +16,17 @@ logsource:
product: windows
detection:
exec_selection:
- ParentImage: '*\userinit.exe'
+ ParentImage|endswith: '\userinit.exe'
exec_exclusion1:
- Image: '*\explorer.exe'
+ Image|endswith: '\explorer.exe'
exec_exclusion2:
CommandLine|contains:
- 'netlogon.bat'
- 'UsrLogon.cmd'
create_keywords_cli:
- CommandLine: '*UserInitMprLogonScript*'
+ CommandLine|contains: 'UserInitMprLogonScript'
condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml
new file mode 100644
index 00000000000..52ffcbc0543
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml
@@ -0,0 +1,28 @@
+title: Too Long PowerShell Commandlines
+id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
+description: Detects Too long PowerShell command lines
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1059.001
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+modified: 2021/05/21
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ Powershell_selection:
+ - CommandLine|contains:
+ - 'powershell'
+ - 'pwsh'
+ - Description: 'Windows Powershell'
+ - Product: 'PowerShell Core 6'
+ Length_selection:
+ CommandLine|re: '.{1000,}'
+ condition: all of them
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
new file mode 100644
index 00000000000..439e99a78e3
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
@@ -0,0 +1,32 @@
+title: Proxy Execution via Wuauclt
+id: af77cf95-c469-471c-b6a0-946c685c4798
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
+status: experimental
+date: 2020/10/12
+modified: 2021/05/10
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+references:
+ - https://dtm.uk/wuauclt/
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_one:
+ - Image|contains: wuauclt
+ - OriginalFileName: wuauclt.exe
+ selection_two:
+ CommandLine|contains|all:
+ - 'UpdateDeploymentProvider'
+ - '.dll'
+ - 'RunHandlerComServer'
+ filter:
+ CommandLine|contains:
+ - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
+ - ' wuaueng.dll '
+ condition: selection_one and selection_two and not filter
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml
new file mode 100644
index 00000000000..3a0b7dfedf8
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_rclone_execution.yml
@@ -0,0 +1,46 @@
+title: RClone Execution
+id: a0d63692-a531-4912-ad39-4393325b2a9c
+status: experimental
+description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
+tags:
+ - attack.exfiltration
+ - attack.t1567.002
+author: Bhabesh Raj, Sittikorn S
+date: 2021/05/10
+modified: 2021/06/29
+references:
+ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
+ - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+ - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
+ - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
+fields:
+ - CommandLine
+ - ParentCommandLine
+ - Details
+falsepositives:
+ - Legitimate RClone use
+level: high
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Description: 'Rsync for cloud storage'
+ selection2:
+ CommandLine|contains|all:
+ - '--config '
+ - '--no-check-certificate '
+ - ' copy '
+ selection3:
+ Image|endswith:
+ - '\rclone.exe'
+ CommandLine|contains:
+ - 'mega'
+ - 'pcloud'
+ - 'ftp'
+ - '--progress'
+ - '--ignore-existing'
+ - '--auto-confirm'
+ - '--transfers'
+ - '--multi-thread-streams'
+ condition: 1 of them
diff --git a/rules/windows/process_creation/sysmon_sdclt_child_process.yml b/rules/windows/process_creation/sysmon_sdclt_child_process.yml
new file mode 100644
index 00000000000..8e328a3049c
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_sdclt_child_process.yml
@@ -0,0 +1,22 @@
+title: Sdclt Child Processes
+id: da2738f2-fadb-4394-afa7-0a0674885afa
+description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/6
+ - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\sdclt.exe'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml
new file mode 100644
index 00000000000..6e66c04a3d1
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml
@@ -0,0 +1,23 @@
+title: Suspicious WebDav Client Execution
+id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
+description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.exfiltration
+ - attack.t1048.003
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/17
+ - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\rundll32.exe'
+ CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml
new file mode 100644
index 00000000000..04a8b5dd27a
--- /dev/null
+++ b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml
@@ -0,0 +1,26 @@
+title: Execution via CL_Invocation.ps1
+id: a0459f02-ac51-4c09-b511-b8c9203fc429
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+ - https://twitter.com/bohops/status/948061991012327424
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'CL_Invocation.ps1'
+ - 'SyncInvoke'
+ # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe"
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml
new file mode 100644
index 00000000000..4fd2f44c7f6
--- /dev/null
+++ b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml
@@ -0,0 +1,26 @@
+title: Execution via CL_Mutexverifiers.ps1
+id: 99465c8f-f102-4157-b11c-b0cddd53b79a
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+ - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'CL_Mutexverifiers.ps1'
+ - 'runAfterCancelProcess'
+ # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe"
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_ad_find_discovery.yml b/rules/windows/process_creation/win_ad_find_discovery.yml
new file mode 100644
index 00000000000..2e6f5b93fc8
--- /dev/null
+++ b/rules/windows/process_creation/win_ad_find_discovery.yml
@@ -0,0 +1,43 @@
+title: AdFind Usage Detection
+id: 9a132afa-654e-11eb-ae93-0242ac130002
+description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
+author: Janantha Marasinghe (https://github.com/blueteam0ps)
+references:
+ - https://thedfirreport.com/2020/05/08/adfind-recon/
+ - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
+ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+date: 2021/02/02
+modified: 2021/02/02
+tags:
+ - attack.discovery
+ - attack.t1482
+ - attack.t1018
+level: high
+status: experimental
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains:
+ - 'domainlist'
+ - 'trustdmp'
+ - 'dcmodes'
+ - 'adinfo'
+ - ' dclist '
+ - 'computer_pwdnotreqd'
+ - 'objectcategory='
+ - '-subnets -f'
+ - 'name="Domain Admins"'
+ - '-sc u:'
+ - 'domainncs'
+ - 'dompol'
+ - ' oudmp '
+ - 'subnetdmp'
+ - 'gpodmp'
+ - 'fspdmp'
+ - 'users_noexpire'
+ - 'computers_active'
+ condition: selection
+falsepositives:
+ - Admin activity
diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/process_creation/win_advanced_ip_scanner.yml
index 4f3e93244a1..a62d7260276 100644
--- a/rules/windows/process_creation/win_advanced_ip_scanner.yml
+++ b/rules/windows/process_creation/win_advanced_ip_scanner.yml
@@ -1,3 +1,4 @@
+action: global
title: Advanced IP Scanner
id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
status: experimental
@@ -5,11 +6,19 @@ description: Detects the use of Advanced IP Scanner. Seems to be a popular tool
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+ - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
+ - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+ - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020/05/12
+modified: 2021/05/11
tags:
- attack.discovery
- attack.t1046
+falsepositives:
+ - Legitimate administrative use
+level: medium
+---
logsource:
category: process_creation
product: windows
@@ -17,6 +26,11 @@ detection:
selection:
Image|contains: '\advanced_ip_scanner'
condition: selection
-falsepositives:
- - Legitimate administrative use
-level: medium
+---
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
+ condition: selection
diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
index 0e60a088cfa..69a911e4455 100644
--- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
+++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
@@ -17,7 +17,11 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*-noni -ep bypass $*'
+ CommandLine|contains|all:
+ - '-noni'
+ - '-ep'
+ - 'bypass'
+ - '$'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
index ec6dbff1691..248e3d65296 100644
--- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
+++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
@@ -17,11 +17,20 @@ logsource:
product: windows
detection:
selection1:
- Image: '*\xcopy.exe'
- CommandLine: '* /S /E /C /Q /H \\*'
+ Image|endswith: '\xcopy.exe'
+ CommandLine|contains|all:
+ - '/S'
+ - '/E'
+ - '/C'
+ - '/Q'
+ - '/H'
+ - '\\'
selection2:
- Image: '*\adexplorer.exe'
- CommandLine: '* -snapshot "" c:\users\\*'
+ Image|endswith: '\adexplorer.exe'
+ CommandLine|contains|all:
+ - '-snapshot'
+ - '""'
+ - 'c:\users\'
condition: selection1 or selection2
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml
index ba271c720f0..dedb3b2d530 100644
--- a/rules/windows/process_creation/win_apt_bluemashroom.yml
+++ b/rules/windows/process_creation/win_apt_bluemashroom.yml
@@ -15,9 +15,12 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\regsvr32*\AppData\Local\\*'
- - '*\AppData\Local\\*,DllEntry*'
+ - CommandLine|contains|all:
+ - '\regsvr32'
+ - '\AppData\Local\'
+ - CommandLine|contains|all:
+ - '\AppData\Local\'
+ - ',DllEntry'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml
index 1662eac373e..a64f9629875 100755
--- a/rules/windows/process_creation/win_apt_chafer_mar18.yml
+++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml
@@ -19,7 +19,7 @@ tags:
- attack.t1071.004
date: 2018/03/23
modified: 2020/08/26
-author: Florian Roth, Markus Neis
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
detection:
condition: 1 of them
falsepositives:
@@ -47,33 +47,31 @@ detection:
- 'UpdatMachine'
---
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection_reg1:
- EventID: 13
- TargetObject:
- - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
- EventType: 'SetValue'
- selection_reg2:
- EventID: 13
- TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
- EventType: 'SetValue'
- Details: 'DWORD (0x00000001)'
+ TargetObject|endswith:
+ - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+ - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
---
logsource:
category: process_creation
product: windows
detection:
+ selection_process0:
+ CommandLine|contains: '\Service.exe'
+ CommandLine|endswith:
+ - 'i'
+ - 'u'
selection_process1:
- CommandLine:
- - '*\Service.exe i'
- - '*\Service.exe u'
- - '*\microsoft\Taskbar\autoit3.exe'
- - 'C:\wsc.exe*'
+ - CommandLine|endswith: '\microsoft\Taskbar\autoit3.exe'
+ - CommandLine|startswith: 'C:\wsc.exe'
selection_process2:
- Image: '*\Windows\Temp\DB\\*.exe'
+ Image|contains: '\Windows\Temp\DB\'
+ Image|endswith: '.exe'
selection_process3:
- CommandLine: '*\nslookup.exe -q=TXT*'
- ParentImage: '*\Autoit*'
+ CommandLine|contains|all:
+ - '\nslookup.exe'
+ - '-q=TXT'
+ ParentImage|contains: '\Autoit'
diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml
index f6cde48531d..8c6538e1861 100755
--- a/rules/windows/process_creation/win_apt_cloudhopper.yml
+++ b/rules/windows/process_creation/win_apt_cloudhopper.yml
@@ -15,8 +15,10 @@ logsource:
product: windows
detection:
selection:
- Image: '*\cscript.exe'
- CommandLine: '*.vbs /shell *'
+ Image|endswith: '\cscript.exe'
+ CommandLine|contains|all:
+ - '.vbs'
+ - '/shell'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_apt_dragonfly.yml b/rules/windows/process_creation/win_apt_dragonfly.yml
index 4c159386500..78c99ce9237 100755
--- a/rules/windows/process_creation/win_apt_dragonfly.yml
+++ b/rules/windows/process_creation/win_apt_dragonfly.yml
@@ -13,8 +13,8 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\crackmapexec.exe'
+ Image|endswith:
+ - '\crackmapexec.exe'
condition: selection
falsepositives:
- None
diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml
index e392bbd7c5d..3758f698d67 100755
--- a/rules/windows/process_creation/win_apt_elise.yml
+++ b/rules/windows/process_creation/win_apt_elise.yml
@@ -20,9 +20,9 @@ logsource:
detection:
selection1:
Image: 'C:\Windows\SysWOW64\cmd.exe'
- CommandLine: '*\Windows\Caches\NavShExt.dll *'
+ CommandLine|contains: '\Windows\Caches\NavShExt.dll '
selection2:
- CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+ CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
condition: 1 of them
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml
index 06a42220d55..aae0f52a5fa 100644
--- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml
+++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml
@@ -17,8 +17,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\sllauncher.exe'
- Image: '*\svchost.exe'
+ ParentImage|endswith: '\sllauncher.exe'
+ Image|endswith: '\svchost.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml
index 4aa0844196d..55efdc51293 100644
--- a/rules/windows/process_creation/win_apt_empiremonkey.yml
+++ b/rules/windows/process_creation/win_apt_empiremonkey.yml
@@ -22,13 +22,13 @@ logsource:
product: windows
detection:
selection_cutil:
- CommandLine:
- - '*/i:%APPDATA%\logs.txt scrobj.dll'
- Image:
- - '*\cutil.exe'
+ CommandLine|endswith:
+ - '/i:%APPDATA%\logs.txt scrobj.dll'
+ Image|endswith:
+ - '\cutil.exe'
selection_regsvr32:
- CommandLine:
- - '*/i:%APPDATA%\logs.txt scrobj.dll'
+ CommandLine|endswith:
+ - '/i:%APPDATA%\logs.txt scrobj.dll'
Description:
- Microsoft(C) Registerserver
-
\ No newline at end of file
+
diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
index 6eedefb4a3f..78748faa44c 100755
--- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
+++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
@@ -18,10 +18,10 @@ logsource:
product: windows
detection:
selection1:
- Image: '*\rundll32.exe'
- CommandLine: '*,dll_u'
+ Image|endswith: '\rundll32.exe'
+ CommandLine|endswith: ',dll_u'
selection2:
- CommandLine: '* -export dll_u *'
+ CommandLine|contains: ' -export dll_u '
condition: 1 of them
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml
index da8c4c04f44..df63be5a5fc 100644
--- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml
+++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml
@@ -19,7 +19,8 @@ detection:
selection:
CommandLine|contains|all:
- 'regsvr32'
- - ' /s /i '
+ - '/s'
+ - '/i'
- '\AppData\Roaming\'
- '.ocx'
condition: selection
diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml
index f56288f7f04..ffae0327158 100644
--- a/rules/windows/process_creation/win_apt_greenbug_may20.yml
+++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml
@@ -23,7 +23,8 @@ logsource:
detection:
selection1:
CommandLine|contains|all:
- - 'bitsadmin /transfer'
+ - 'bitsadmin'
+ - '/transfer'
- 'CSIDL_APPDATA'
selection2:
CommandLine|contains:
diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml
new file mode 100644
index 00000000000..042fe15aae4
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_hafnium.yml
@@ -0,0 +1,72 @@
+title: Exchange Exploitation Activity
+id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
+description: Detects activity observed by different researchers to be HAFNIUM group acitivity (or related) on Exchange servers
+author: Florian Roth
+date: 2021/03/09
+modified: 2021/03/16
+status: experimental
+references:
+ - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
+ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+ - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
+ - https://twitter.com/GadixCRK/status/1369313704869834753?s=20
+ - https://twitter.com/BleepinComputer/status/1372218235949617161
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains|all:
+ - 'attrib'
+ - ' +h '
+ - ' +s '
+ - ' +r '
+ - '.aspx'
+ selection2:
+ CommandLine|contains|all:
+ - 'schtasks'
+ - 'VSPerfMon'
+ selection3:
+ CommandLine|contains|all:
+ - 'vssadmin list shadows'
+ - 'Temp\__output'
+ selection4:
+ CommandLine|contains: '%TEMP%\execute.bat'
+ selection5:
+ Image|endswith: 'Users\Public\opera\Opera_browser.exe'
+ selection6:
+ Image|endswith: 'Opera_browser.exe'
+ ParentImage|endswith:
+ - '\services.exe'
+ - '\svchost.exe'
+ selection7:
+ Image|contains: '\ProgramData\VSPerfMon\'
+ selection8:
+ CommandLine|contains|all:
+ - ' -t7z '
+ - 'C:\Programdata\pst'
+ - '\it.zip'
+ selection9:
+ Image|endswith: '\makecab.exe'
+ CommandLine|contains:
+ - 'Microsoft\Exchange Server\'
+ - 'inetpub\wwwroot'
+ selection10:
+ CommandLine|contains:
+ - '\Temp\xx.bat'
+ - 'Windows\WwanSvcdcs'
+ - 'Windows\Temp\cw.exe'
+ selection11:
+ CommandLine|contains|all:
+ - '\comsvcs.dll'
+ - 'Minidump'
+ - '\inetpub\wwwroot'
+ selection12:
+ CommandLine|contains|all:
+ - 'dsquery'
+ - ' -uco '
+ - '\inetpub\wwwroot'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_apt_hurricane_panda.yml b/rules/windows/process_creation/win_apt_hurricane_panda.yml
index 294a3484df1..8f7f0eeddad 100755
--- a/rules/windows/process_creation/win_apt_hurricane_panda.yml
+++ b/rules/windows/process_creation/win_apt_hurricane_panda.yml
@@ -15,9 +15,12 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* localgroup administrators admin /add'
- - '*\Win64.exe*'
+ - CommandLine|contains|all:
+ - 'localgroup'
+ - 'admin'
+ - '/add'
+ - CommandLine|contains:
+ - '\Win64.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
index ca9d2189e16..c1fb93db55b 100644
--- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
+++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
@@ -20,15 +20,15 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*\ldifde.exe -f -n *'
- - '*\7za.exe a 1.7z *'
- - '* eprod.ldf'
- - '*\aaaa\procdump64.exe*'
- - '*\aaaa\netsess.exe*'
- - '*\aaaa\7za.exe*'
- - '*copy .\1.7z \\*'
- - '*copy \\client\c$\aaaa\\*'
+ - CommandLine|endswith: 'eprod.ldf'
+ - CommandLine|contains:
+ - '\ldifde.exe -f -n '
+ - '\7za.exe a 1.7z '
+ - '\aaaa\procdump64.exe'
+ - '\aaaa\netsess.exe'
+ - '\aaaa\7za.exe'
+ - 'copy .\1.7z \'
+ - 'copy \\client\c$\aaaa\'
selection2:
Image: C:\Users\Public\7za.exe
condition: selection1 or selection2
diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml
new file mode 100644
index 00000000000..c100e1b9288
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml
@@ -0,0 +1,33 @@
+title: Lazarus Activity
+id: 4a12fa47-c735-4032-a214-6fab5b120670
+description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
+status: experimental
+references:
+ - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
+tags:
+ - attack.g0032
+author: Bhabesh Raj
+date: 2021/04/20
+modified: 2021/06/27
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains|all:
+ - 'mshta'
+ - '.zip'
+ selection2:
+ ParentImage:
+ - 'C:\Windows\System32\wbem\wmiprvse.exe'
+ Image:
+ - 'C:\Windows\System32\mshta.exe'
+ selection3:
+ ParentImage|contains:
+ - ':\Users\Public\'
+ Image:
+ - 'C:\Windows\System32\rundll32.exe'
+ condition: 1 of them
+falsepositives:
+ - Should not be any false positives
+level: critical
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml
index 30507fefd70..9843b81e5f4 100644
--- a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml
+++ b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml
@@ -9,6 +9,7 @@ tags:
- attack.g0032
author: Florian Roth
date: 2020/12/23
+modified: 2021/06/27
logsource:
category: process_creation
product: windows
@@ -30,7 +31,7 @@ detection:
# Network share discovery
selection4:
CommandLine|contains:
- - '.255 10 C:\ProgramData\\'
+ - '.255 10 C:\ProgramData\'
condition: 1 of them
falsepositives:
- Overlap with legitimate process activity in some cases (especially selection 3 and 4)
diff --git a/rules/windows/process_creation/win_apt_lazarus_loader.yml b/rules/windows/process_creation/win_apt_lazarus_loader.yml
index f947bc97f40..df3df1a4d7f 100644
--- a/rules/windows/process_creation/win_apt_lazarus_loader.yml
+++ b/rules/windows/process_creation/win_apt_lazarus_loader.yml
@@ -7,8 +7,9 @@ references:
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
tags:
- attack.g0032
-author: Florian Roth
+author: Florian Roth, wagga
date: 2020/12/23
+modified: 2021/06/27
logsource:
category: process_creation
product: windows
@@ -19,12 +20,12 @@ detection:
- ' -p 0x'
selection_cmd2:
CommandLine|contains:
- - 'C:\ProgramData\\'
- - 'C:\RECYCLER\\'
+ - 'C:\ProgramData\'
+ - 'C:\RECYCLER\'
selection_rundll1:
CommandLine|contains|all:
- 'rundll32.exe '
- - 'C:\ProgramData\\'
+ - 'C:\ProgramData\'
selection_rundll2:
CommandLine|contains:
- '.bin,'
diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
index bf8fcd81988..41edce51fc3 100644
--- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
+++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
@@ -15,13 +15,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\msdtc.exe'
- - '*\gpvc.exe'
+ Image|endswith:
+ - '\msdtc.exe'
+ - '\gpvc.exe'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\SysWOW64\\*'
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml
index 28fa669249a..614745109e1 100644
--- a/rules/windows/process_creation/win_apt_mustangpanda.yml
+++ b/rules/windows/process_creation/win_apt_mustangpanda.yml
@@ -2,7 +2,7 @@ title: Mustang Panda Dropper
id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
status: experimental
description: Detects specific process parameters as used by Mustang Panda droppers
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2019/10/30
references:
- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
@@ -13,15 +13,18 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*Temp\wtask.exe /create*'
- - '*%windir:~-3,1%%PUBLIC:~-9,1%*'
- - '*/E:vbscript * C:\Users\\*.txt" /F'
- - '*/tn "Security Script *'
- - '*%windir:~-1,1%*'
+ - CommandLine|contains:
+ - 'Temp\wtask.exe /create'
+ - '%windir:~-3,1%%PUBLIC:~-9,1%'
+ - '/tn "Security Script '
+ - '%windir:~-1,1%'
+ - CommandLine|contains|all:
+ - '/E:vbscript'
+ - 'C:\Users\'
+ - '.txt'
+ - '/F'
selection2:
- Image:
- - '*Temp\winwsh.exe'
+ Image|endswith: 'Temp\winwsh.exe'
condition: 1 of them
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml
index 2588e6dd8f4..51589931e0f 100755
--- a/rules/windows/process_creation/win_apt_slingshot.yml
+++ b/rules/windows/process_creation/win_apt_slingshot.yml
@@ -25,7 +25,6 @@ detection:
CommandLine|contains:
- '/delete'
- '/change'
- selection2:
CommandLine|contains|all:
- '/TN'
- '\Microsoft\Windows\Defrag\ScheduledDefrag'
diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml
index 6daeed46b2f..ac8d9ae9b05 100755
--- a/rules/windows/process_creation/win_apt_sofacy.yml
+++ b/rules/windows/process_creation/win_apt_sofacy.yml
@@ -1,9 +1,9 @@
title: Sofacy Trojan Loader Activity
id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
status: experimental
date: 2018/03/01
-modified: 2020/08/27
+modified: 2020/11/28
description: Detects Trojan loader acitivty as used by APT28
references:
- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
@@ -22,11 +22,14 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- CommandLine:
- - 'rundll32.exe %APPDATA%\\*.dat",*'
- - 'rundll32.exe %APPDATA%\\*.dll",#1'
- condition: selection
+ selection1:
+ CommandLine|contains|all:
+ - 'rundll32.exe'
+ - '%APPDATA%\'
+ selection2:
+ - CommandLine|contains: '.dat",'
+ - CommandLine|endswith: '.dll",#1'
+ condition: selection1 and selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml
index 9cfbe54c60e..70dcfd75efd 100644
--- a/rules/windows/process_creation/win_apt_tropictrooper.yml
+++ b/rules/windows/process_creation/win_apt_tropictrooper.yml
@@ -16,6 +16,6 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+ CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'
condition: selection
level: high
diff --git a/rules/windows/process_creation/win_apt_unc2452_cmds.yml b/rules/windows/process_creation/win_apt_unc2452_cmds.yml
index 213507d84cc..b1c08180119 100644
--- a/rules/windows/process_creation/win_apt_unc2452_cmds.yml
+++ b/rules/windows/process_creation/win_apt_unc2452_cmds.yml
@@ -11,6 +11,7 @@ tags:
- unc2452
author: Florian Roth
date: 2021/01/22
+modified: 2021/06/27
logsource:
category: process_creation
product: windows
@@ -32,7 +33,7 @@ detection:
CommandLine|contains: 'cmd.exe /C '
selection4:
CommandLine|contains|all:
- - 'rundll32 c:\windows\\'
+ - 'rundll32 c:\windows\'
- '.dll '
specific1:
ParentImage|endswith: '\rundll32.exe'
diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
index b36bd2f402a..20e60b32457 100644
--- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
+++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
@@ -22,14 +22,14 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*cyzfc.dat, PointFunctionCall'
+ CommandLine|contains: 'cyzfc.dat,'
+ CommandLine|endswith: 'PointFunctionCall'
---
# Sysmon: File Creation (ID 11)
logsource:
product: windows
- service: sysmon
+ category: file_event
detection:
selection2:
- EventID: 11
- TargetFilename:
- - '*ds7002.lnk*'
\ No newline at end of file
+ TargetFilename|contains:
+ - 'ds7002.lnk'
diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml
index 20e369df94c..fb055f88e1f 100644
--- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml
+++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml
@@ -9,7 +9,7 @@ tags:
- attack.t1574.002
- attack.t1073 # an old one
- attack.g0044
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2020/07/30
logsource:
category: process_creation
@@ -19,10 +19,12 @@ detection:
CommandLine|contains:
- 'setup0.exe -p'
selection2:
- CommandLine|endswith:
- - 'setup.exe -x:0'
- - 'setup.exe -x:1'
- - 'setup.exe -x:2'
+ CommandLine|contains|all:
+ - 'setup.exe'
+ CommandLine|endswith:
+ - '-x:0'
+ - '-x:1'
+ - '-x:2'
condition: 1 of them
falsepositives:
- Legitimate setups that use similar flags
diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml
index 20307a72363..6ddaacd920f 100644
--- a/rules/windows/process_creation/win_apt_wocao.yml
+++ b/rules/windows/process_creation/win_apt_wocao.yml
@@ -32,7 +32,7 @@ detection:
selection:
EventID: 4799
GroupName: 'Administrators'
- ProcessName: '*\checkadmin.exe'
+ ProcessName|endswith: '\checkadmin.exe'
condition: selection
---
logsource:
@@ -51,4 +51,4 @@ detection:
- 'type *keepass\KeePass.config.xml'
- 'iie.exe iie.txt'
- 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
- condition: selection
\ No newline at end of file
+ condition: selection
diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml
index fc17af95c71..515d541e791 100755
--- a/rules/windows/process_creation/win_apt_zxshell.yml
+++ b/rules/windows/process_creation/win_apt_zxshell.yml
@@ -1,7 +1,7 @@
title: ZxShell Malware
id: f0b70adb-0075-43b0-9745-e82a1c608fcc
description: Detects a ZxShell start by the called and well-known function name
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2017/07/20
modified: 2020/08/26
references:
@@ -20,9 +20,11 @@ logsource:
product: windows
detection:
selection:
+ Image|endswith:
+ - '\rundll32.exe'
CommandLine|contains:
- - 'rundll32.exe *,zxFunction*'
- - 'rundll32.exe *,RemoteDiskXXXXX'
+ - 'zxFunction'
+ - 'RemoteDiskXXXXX'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml
index 9e403128b14..ca50c3bc1d5 100644
--- a/rules/windows/process_creation/win_attrib_hiding_files.yml
+++ b/rules/windows/process_creation/win_attrib_hiding_files.yml
@@ -10,12 +10,12 @@ logsource:
product: windows
detection:
selection:
- Image: '*\attrib.exe'
- CommandLine: '* +h *'
+ Image|endswith: '\attrib.exe'
+ CommandLine|contains: ' +h '
ini:
- CommandLine: '*\desktop.ini *'
+ CommandLine|contains: '\desktop.ini '
intel:
- ParentImage: '*\cmd.exe'
+ ParentImage|endswith: '\cmd.exe'
CommandLine: +R +H +S +A \\*.cui
ParentCommandLine: C:\WINDOWS\system32\\*.bat
condition: selection and not (ini or intel)
diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
new file mode 100644
index 00000000000..4b9294d8cb0
--- /dev/null
+++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
@@ -0,0 +1,25 @@
+title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
+id: a7c3d773-caef-227e-a7e7-c2f13c622329
+status: experimental
+description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'
+author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community'
+date: 2020/10/23
+references:
+ - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
+ - https://www.cobaltstrike.com/help-opsec
+tags:
+ - attack.defense_evasion
+ - attack.t1085 # legacy
+ - attack.t1218.011
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|endswith:
+ - '\WerFault.exe'
+ - '\rundll32.exe'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml
index 87c001abf17..a5422e5f69a 100644
--- a/rules/windows/process_creation/win_bypass_squiblytwo.yml
+++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml
@@ -24,19 +24,18 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\wmic.exe'
- CommandLine:
- - wmic * *format:\"http*
- - wmic * /format:'http
- - wmic * /format:http*
+ Image|endswith:
+ - '\wmic.exe'
+ CommandLine|contains|all:
+ - wmic
+ - format
+ - http
selection2:
Imphash:
- 1B1A3F43BF37B5BFE60751F2EE2F326E
- 37777A96245A3C74EB217308F3546F4C
- 9D87C9D67CE724033C0B40CC4CA1B206
- CommandLine:
- - '* *format:\"http*'
- - '* /format:''http'
- - '* /format:http*'
+ CommandLine|contains|all:
+ - 'format:'
+ - 'http'
condition: 1 of them
diff --git a/rules/windows/process_creation/win_class_exec_xwizard.yml b/rules/windows/process_creation/win_class_exec_xwizard.yml
new file mode 100644
index 00000000000..bb53e91737d
--- /dev/null
+++ b/rules/windows/process_creation/win_class_exec_xwizard.yml
@@ -0,0 +1,22 @@
+title: Custom Class Execution via Xwizard
+id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
+status: experimental
+description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+date: 2020/10/07
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\xwizard.exe'
+ CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml
index ca801d0e695..bc9d89c74d0 100644
--- a/rules/windows/process_creation/win_cmdkey_recon.yml
+++ b/rules/windows/process_creation/win_cmdkey_recon.yml
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
- Image: '*\cmdkey.exe'
- CommandLine: '* /list *'
+ Image|endswith: '\cmdkey.exe'
+ CommandLine|contains: ' /list '
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml
index 5a42c7f503d..589a2a18ded 100644
--- a/rules/windows/process_creation/win_commandline_path_traversal.yml
+++ b/rules/windows/process_creation/win_commandline_path_traversal.yml
@@ -16,9 +16,11 @@ logsource:
product: windows
detection:
selection:
- ParentCommandLine|contains: 'cmd*/c'
+ ParentCommandLine|contains|all:
+ - 'cmd'
+ - '/c'
CommandLine|contains: '/../../'
condition: selection
falsepositives:
- (not much) some benign Java tools may product false-positive commandlines for loading libraries
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml
index 2041900946c..854f0f44ec4 100644
--- a/rules/windows/process_creation/win_control_panel_item.yml
+++ b/rules/windows/process_creation/win_control_panel_item.yml
@@ -14,24 +14,24 @@ tags:
- attack.t1546
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020/06/22
-modified: 2020/08/29
+modified: 2020/11/28
level: critical
logsource:
product: windows
category: process_creation
detection:
selection1:
- CommandLine: '*.cpl'
+ CommandLine|endswith: '.cpl'
filter:
- CommandLine:
- - '*\System32\\*'
- - '*%System%*'
+ CommandLine|contains:
+ - '\System32\'
+ - '%System%'
selection2:
- CommandLine:
- - '*reg add*'
+ Image|endswith: '\reg.exe'
+ CommandLine|contains: 'add'
selection3:
- CommandLine:
- - '*CurrentVersion\\Control Panel\\CPLs*'
+ CommandLine|contains:
+ - 'CurrentVersion\\Control Panel\\CPLs'
condition: (selection1 and not filter) or (selection2 and selection3)
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml
new file mode 100644
index 00000000000..2fda0365b2a
--- /dev/null
+++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml
@@ -0,0 +1,26 @@
+title: Dropping Of Password Filter DLL
+id: b7966f4a-b333-455b-8370-8ca53c229762
+description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
+status: experimental
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+references:
+ - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
+ - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
+tags:
+ - attack.credential_access
+ - attack.t1174
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_cmdline:
+ CommandLine|contains|all:
+ - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
+ - 'scecli\0*'
+ - 'reg add'
+ condition: selection_cmdline
+falsepositives:
+ - unknown
+level: medium
diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml
index c21b53e8ea5..53977514b59 100755
--- a/rules/windows/process_creation/win_crime_fireball.yml
+++ b/rules/windows/process_creation/win_crime_fireball.yml
@@ -18,7 +18,9 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*\rundll32.exe *,InstallArcherSvc'
+ CommandLine|contains|all:
+ - 'rundll32.exe'
+ - 'InstallArcherSvc'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml
index 356fead64e6..c83f97404cc 100644
--- a/rules/windows/process_creation/win_crime_maze_ransomware.yml
+++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml
@@ -8,7 +8,7 @@ references:
- https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
author: Florian Roth
date: 2020/05/08
-modified: 2020/08/29
+modified: 2021/06/27
tags:
- attack.execution
- attack.t1204.002
@@ -25,7 +25,7 @@ detection:
ParentImage|endswith:
- '\WINWORD.exe'
Image|endswith:
- - '*.tmp'
+ - '.tmp'
# Binary Execution
selection2:
Image|endswith: '\wmic.exe'
diff --git a/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml
new file mode 100644
index 00000000000..62d9b1d8691
--- /dev/null
+++ b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml
@@ -0,0 +1,22 @@
+title: Detecting Fake Instances Of Hxtsr.exe
+id: 4e762605-34a8-406d-b72e-c1a089313320
+status: experimental
+description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
+author: Sreeman
+date: 2020/04/17
+modified: 2021/06/11
+tags:
+ - attack.defense_evasion
+ - attack.t1036
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ Image: hxtsr.exe
+ filter:
+ FolderPath|re: '(?i)c:\\program files\\windowsapps\\microsoft\.windowscommunicationsapps_.*\\hxtsr\.exe'
+ condition: selection and not filter
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml
index 1cd5cc9fb23..478b80d6364 100644
--- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml
+++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml
@@ -19,7 +19,7 @@ logsource:
product: windows
detection:
selection:
- - Image|endswith: '*\iodine.exe'
+ - Image|endswith: '\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
index 33472ac5569..b941e2f999f 100644
--- a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
+++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
@@ -19,9 +19,9 @@ logsource:
product: windows
detection:
selection:
- ParentImage|endswith: '*\powershell.exe'
- Image|endswith: '*\nslookup.exe'
- CommandLine|endswith: '*\nslookup.exe'
+ ParentImage|endswith: '\powershell.exe'
+ Image|endswith: '\nslookup.exe'
+ CommandLine|endswith: '\nslookup.exe'
condition: selection | count(Image) by ParentImage > 100
fields:
- Image
diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml
index fb7822601ba..6fef5224c56 100644
--- a/rules/windows/process_creation/win_etw_trace_evasion.yml
+++ b/rules/windows/process_creation/win_etw_trace_evasion.yml
@@ -35,18 +35,18 @@ detection:
- 'set-log'
- '/e:false'
selection_disable_3: #Autologger provider removal
- Commandline|contains|all:
+ CommandLine|contains|all:
- 'Remove-EtwTraceProvider'
- 'EventLog-Microsoft-Windows-WMI-Activity-Trace'
- '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}'
selection_disable_4: #Provider “Enable” property modification
- Commandline|contains|all:
+ CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}'
- 'EventLog-Microsoft-Windows-WMI-Activity-Trace'
- '0x11'
selection_disable_5: #ETW provider removal from a trace session
- Commandline|contains|all:
+ CommandLine|contains|all:
- "logman"
- "update"
- "trace"
diff --git a/rules/windows/process_creation/win_exchange_transportagent.yml b/rules/windows/process_creation/win_exchange_transportagent.yml
new file mode 100644
index 00000000000..09bbd202208
--- /dev/null
+++ b/rules/windows/process_creation/win_exchange_transportagent.yml
@@ -0,0 +1,33 @@
+action: global
+title: MSExchange Transport Agent Installation
+id: 83809e84-4475-4b69-bc3e-4aad8568612f
+status: experimental
+description: Detects the Installation of a Exchange Transport Agent
+references:
+ - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+tags:
+ - attack.persistence
+ - attack.t1505.002
+author: Tobias Michalski
+date: 2021/06/08
+detection:
+ condition: selection
+fields:
+ - AssemblyPath
+falsepositives:
+ - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
+level: medium
+---
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ CommandLine|contains: 'Install-TransportAgent'
+---
+logsource:
+ product: windows
+ service: msexchange-management
+detection:
+ selection:
+ Message|contains: 'Install-TransportAgent'
diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
index c2a463b9dec..0a4f43d3bf0 100644
--- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\WINWORD.EXE'
- Image: '*\MicroScMgmt.exe'
+ ParentImage|endswith: '\WINWORD.EXE'
+ Image|endswith: '\MicroScMgmt.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml
index 1e17dad10d1..bdc45eabb7b 100644
--- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml
@@ -20,8 +20,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\WINWORD.EXE'
- Image: '*\FLTLDR.exe*'
+ ParentImage|endswith: '\WINWORD.EXE'
+ Image|contains: '\FLTLDR.exe'
condition: selection
falsepositives:
- Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml
index 02ea834047d..a21fcfeade2 100644
--- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml
@@ -21,7 +21,7 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\EQNEDT32.EXE'
+ ParentImage|endswith: '\EQNEDT32.EXE'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
index 337b97c0ddc..03801e753dd 100644
--- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
@@ -20,8 +20,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\WINWORD.EXE'
- Image: '*\csc.exe'
+ ParentImage|endswith: '\WINWORD.EXE'
+ Image|endswith: '\csc.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml
index 0186b46cb4b..a4593acf1db 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
references:
- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/11/15
modified: 2020/08/29
tags:
@@ -19,15 +19,19 @@ logsource:
product: windows
detection:
selection:
- ParentCommandLine:
- - '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd'
- - '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd'
+ ParentCommandLine|contains|all:
+ - '\cmd.exe'
+ - '/c'
+ - 'C:\Windows\Setup\Scripts\'
+ ParentCommandLine|endswith:
+ - 'SetupComplete.cmd'
+ - 'PartnerSetupComplete.cmd'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\WinSxS\\*'
- - 'C:\Windows\Setup\\*'
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\WinSxS\'
+ - 'C:\Windows\Setup\'
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
index 9cbd84fd5ec..c93f2113b32 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
@@ -15,9 +15,9 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\consent.exe'
- Image: '*\iexplore.exe'
- CommandLine: '* http*'
+ ParentImage|endswith: '\consent.exe'
+ Image|endswith: '\iexplore.exe'
+ CommandLine|contains: ' http'
rights1:
IntegrityLevel: 'System' # for Sysmon users
rights2:
diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
index c23014f1f3c..10aaacd2b05 100644
--- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
@@ -25,9 +25,9 @@ detection:
selection:
ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
Image|endswith:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\bitsadmin.exe'
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\bitsadmin.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
index c49df6bc1fd..a0ae78a12e7 100644
--- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
+++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
@@ -19,7 +19,7 @@ logsource:
product: windows
detection:
selection_1:
- Image: '*\reg.exe'
+ Image|endswith: '\reg.exe'
CommandLine|contains:
- 'save'
- 'export'
diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml
index 26057c10f48..6daa475f94f 100644
--- a/rules/windows/process_creation/win_hack_koadic.yml
+++ b/rules/windows/process_creation/win_hack_koadic.yml
@@ -14,16 +14,19 @@ tags:
- attack.t1059.007
- attack.t1064 # an old one
date: 2020/01/12
-modified: 2020/09/01
-author: wagga
+modified: 2020/11/28
+author: wagga, Jonhnathan Ribeiro, oscd.community
logsource:
category: process_creation
product: windows
detection:
- selection1:
- CommandLine:
- - '*cmd.exe* /q /c chcp *'
- condition: selection1
+ selection:
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains|all:
+ - '/q'
+ - '/c'
+ - 'chcp'
+ condition: selection
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml
index 491c60ad34b..4ce04049b2f 100644
--- a/rules/windows/process_creation/win_hack_rubeus.yml
+++ b/rules/windows/process_creation/win_hack_rubeus.yml
@@ -18,16 +18,19 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* asreproast *'
- - '* dump /service:krbtgt *'
- - '* kerberoast *'
- - '* createnetonly /program:*'
- - '* ptt /ticket:*'
- - '* /impersonateuser:*'
- - '* renew /ticket:*'
- - '* asktgt /user:*'
- - '* harvest /interval:*'
+ CommandLine|contains:
+ - ' asreproast '
+ - ' dump /service:krbtgt '
+ - ' kerberoast '
+ - ' createnetonly /program:'
+ - ' ptt /ticket:'
+ - ' /impersonateuser:'
+ - ' renew /ticket:'
+ - ' asktgt /user:'
+ - ' harvest /interval:'
+ - ' s4u /user:'
+ - ' s4u /ticket:'
+ - ' hash /password:'
condition: selection
falsepositives:
- unlikely
diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml
index d36b3844d57..d8899df42ab 100644
--- a/rules/windows/process_creation/win_hack_secutyxploded.yml
+++ b/rules/windows/process_creation/win_hack_secutyxploded.yml
@@ -6,7 +6,7 @@ references:
- https://securityxploded.com/
- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
date: 2018/12/19
-modified: 2020/09/01
+modified: 2021/05/11
tags:
- attack.credential_access
- attack.t1555
@@ -21,7 +21,7 @@ detection:
selection2:
Image|endswith: 'PasswordDump.exe'
selection3:
- OriginalFilename|endswith: 'PasswordDump.exe'
+ OriginalFileName|endswith: 'PasswordDump.exe'
condition: 1 of them
falsepositives:
- unlikely
diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml
new file mode 100644
index 00000000000..811d34dc8fd
--- /dev/null
+++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml
@@ -0,0 +1,28 @@
+title: Writing Of Malicious Files To The Fonts Folder
+id: ae9b0bd7-8888-4606-b444-0ed7410cb728
+description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesnt require admin privillege to be written and executed from.
+references:
+ - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+date: 2020/21/04
+modified: 2021/06/11
+author: Sreeman
+tags:
+ - attack.t1064
+ - attack.t1211
+ - attack.t1059
+ - attack.defense_evasion
+ - attack.persistence
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection1:
+ CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\Windows\\Fonts\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*'
+ condition: selection1
+fields:
+ - CommandLine
+ - ParentProcess
+ - CommandLine
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml
index e10dfac4e9e..821c3cd9113 100644
--- a/rules/windows/process_creation/win_hktl_createminidump.yml
+++ b/rules/windows/process_creation/win_hktl_createminidump.yml
@@ -18,7 +18,7 @@ logsource:
category: process_creation
product: windows
detection:
- selection1:
+ selection1:
Image|contains: '\CreateMiniDump.exe'
selection2:
Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
@@ -26,9 +26,9 @@ detection:
---
logsource:
product: windows
- service: sysmon
+ category: file_event
detection:
selection:
EventID: 11
- TargetFilename|contains: '*\lsass.dmp'
+ TargetFilename|endswith: '\lsass.dmp'
condition: 1 of them
diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml
index 206d5ab978b..e210478095d 100644
--- a/rules/windows/process_creation/win_hwp_exploits.yml
+++ b/rules/windows/process_creation/win_hwp_exploits.yml
@@ -25,8 +25,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\Hwp.exe'
- Image: '*\gbb.exe'
+ ParentImage|endswith: '\Hwp.exe'
+ Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml
index ad6f147c2b3..a97030d7d88 100644
--- a/rules/windows/process_creation/win_impacket_lateralization.yml
+++ b/rules/windows/process_creation/win_impacket_lateralization.yml
@@ -7,7 +7,7 @@ references:
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py
-author: Ecco
+author: Ecco, oscd.community, Jonhnathan Ribeiro
date: 2019/09/03
modified: 2020/09/01
logsource:
@@ -32,20 +32,27 @@ detection:
# parent is services.exe
# example:
# C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
- ParentImage:
- - '*\wmiprvse.exe' # wmiexec
- - '*\mmc.exe' # dcomexec MMC
- - '*\explorer.exe' # dcomexec ShellBrowserWindow
- - '*\services.exe' # smbexec
- CommandLine:
- - '*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*'
+ ParentImage|endswith:
+ - '\wmiprvse.exe' # wmiexec
+ - '\mmc.exe' # dcomexec MMC
+ - '\explorer.exe' # dcomexec ShellBrowserWindow
+ - '\services.exe' # smbexec
+ CommandLine|contains|all:
+ - 'cmd.exe'
+ - '/Q'
+ - '/c'
+ - '\\\\127.0.0.1\'
+ - '&1'
selection_atexec:
- ParentCommandLine:
- - '*svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
- - 'taskeng.exe*' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
+ ParentCommandLine|contains:
+ - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
+ - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
# cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
- CommandLine:
- - 'cmd.exe /C *Windows\\Temp\\*&1'
+ CommandLine|contains|all:
+ - 'cmd.exe'
+ - '/C'
+ - 'Windows\Temp\'
+ - '&1'
condition: (1 of selection_*)
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
new file mode 100644
index 00000000000..c560fbb4e23
--- /dev/null
+++ b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
@@ -0,0 +1,29 @@
+title: Indirect Command Execution By Program Compatibility Wizard
+id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
+description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
+status: experimental
+author: A. Sungurov , oscd.community
+references:
+ - https://twitter.com/pabraeken/status/991335019833708544
+ - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
+date: 2020/10/12
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+ - attack.execution
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\pcwrun.exe'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - ParentCommandLine
+ - CommandLine
+falsepositives:
+ - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
+ - Legit usage of scripts
+level: low
diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
index b21725e1973..166a4561b1f 100644
--- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
+++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
@@ -9,21 +9,23 @@ tags:
- attack.privilege_escalation
- attack.t1546.008
- attack.t1015 # an old one
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/06
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
- - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
- - '*\CurrentVersion\Image File Execution Options\osk.exe*'
- - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
- - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
- - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
- - '*\CurrentVersion\Image File Execution Options\atbroker.exe*'
+ CommandLine|contains|all:
+ - '\CurrentVersion\Image File Execution Options\'
+ CommandLine|contains:
+ - 'sethc.exe'
+ - 'utilman.exe'
+ - 'osk.exe'
+ - 'magnify.exe'
+ - 'narrator.exe'
+ - 'displayswitch.exe'
+ - 'atbroker.exe'
condition: selection
falsepositives:
- Penetration Tests
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml
new file mode 100644
index 00000000000..cc229f08e8a
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+id: b222df08-0e07-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml
new file mode 100644
index 00000000000..dbdb4cbaadf
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml
new file mode 100644
index 00000000000..63ae15f8c2c
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 27aec9c9-dbb0-4939-8422-1742242471d0
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml
new file mode 100644
index 00000000000..60a494a553a
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 00000000000..d8b91c93c77
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 00000000000..71f178496ee
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Stdin
+id: 9c14c9fa-1a63-4a64-8e57-d19280559490
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 00000000000..ce8d6bfc818
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Use Clip
+id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 00000000000..95f4633a12e
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Use MSHTA
+id: ac20ae82-8758-4f38-958e-b44a3140ca88
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 00000000000..169d86471c2
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: 36c5146c-d127-4f85-8e21-01bf62355d5a
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
new file mode 100644
index 00000000000..dd02c69ae95
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: e9f55347-2928-4c06-88e5-1a7f8169942e
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml
index 7fb6e101af6..f3b83068d1a 100644
--- a/rules/windows/process_creation/win_lethalhta.yml
+++ b/rules/windows/process_creation/win_lethalhta.yml
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\svchost.exe'
- Image: '*\mshta.exe'
+ ParentImage|endswith: '\svchost.exe'
+ Image|endswith: '\mshta.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml
new file mode 100644
index 00000000000..ffe74da9f0d
--- /dev/null
+++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml
@@ -0,0 +1,29 @@
+title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
+id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
+status: experimental
+description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
+references:
+ - https://dtm.uk/wuauclt/
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1085
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ CommandLine|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver'
+ filter:
+ CommandLine|contains:
+ - 'wuaueng.dll'
+ - 'UpdateDeploymentProvider.dll /ClassId'
+ condition: selection and not filter
+falsepositives:
+ - Wuaueng.dll which is a module belonging to Microsoft Wnidows Update.
+fields:
+ - CommandLine
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml
new file mode 100644
index 00000000000..ff0ef78bf61
--- /dev/null
+++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml
@@ -0,0 +1,26 @@
+title: Monitoring Winget For LOLbin Execution
+id: 313d6012-51a0-4d93-8dfc-de8553239e25
+description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
+status: experimental
+references:
+ - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
+author: Sreeman
+date: 2020/21/04
+modified: 2021/06/11
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1059
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains:
+ - '.*(?i)winget install (--m|-m).*'
+ condition: selection
+falsepositives:
+ - Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users.
+fields:
+ - CommandLine
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml
index 574c7e18218..d88aa5e3200 100644
--- a/rules/windows/process_creation/win_mal_adwind.yml
+++ b/rules/windows/process_creation/win_mal_adwind.yml
@@ -6,9 +6,9 @@ description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
-author: Florian Roth, Tom Ueltschi
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
-modified: 2020/09/01
+modified: 2021/06/27
tags:
- attack.execution
- attack.t1059.005
@@ -23,25 +23,31 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\AppData\Roaming\Oracle*\java*.exe *'
- - '*cscript.exe *Retrive*.vbs *'
+ - CommandLine|contains|all:
+ - '\AppData\Roaming\Oracle'
+ - '\java'
+ - '.exe '
+ - CommandLine|contains|all:
+ - 'cscript.exe'
+ - 'Retrive'
+ - '.vbs '
---
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 11
- TargetFilename:
- - '*\AppData\Roaming\Oracle\bin\java*.exe'
- - '*\Retrive*.vbs'
+ - TargetFilename|contains|all:
+ - '\AppData\Roaming\Oracle\bin\java'
+ - '.exe'
+ - TargetFilename|contains|all:
+ - '\Retrive'
+ - '.vbs'
---
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
- TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
- Details: '%AppData%\Roaming\Oracle\bin\\*'
+ TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Details|startswith: '%AppData%\Roaming\Oracle\bin\'
diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml
index 9040595c645..7d90d5575fd 100644
--- a/rules/windows/process_creation/win_malware_dridex.yml
+++ b/rules/windows/process_creation/win_malware_dridex.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects typical Dridex process patterns
references:
- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2019/01/10
modified: 2020/09/01
tags:
@@ -19,13 +19,21 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
+ Image|endswith: '\svchost.exe'
+ CommandLine|contains|all:
+ - 'C:\Users\'
+ - '\Desktop\'
selection2:
- ParentImage: '*\svchost.exe*'
- CommandLine:
- - '*whoami.exe /all'
- - '*net.exe view'
- condition: 1 of them
+ ParentImage|endswith: '\svchost.exe'
+ selection3:
+ Image|endswith: '\whoami.exe'
+ CommandLine|contains: 'all'
+ selection4:
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains: 'view'
+ condition: selection1 or selection2 and (selection3 or selection4)
falsepositives:
- Unlikely
level: critical
diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml
index 722a2781cdf..e5e429be77b 100644
--- a/rules/windows/process_creation/win_malware_dtrack.yml
+++ b/rules/windows/process_creation/win_malware_dtrack.yml
@@ -13,7 +13,7 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '* echo EEEE > *'
+ CommandLine|contains: ' echo EEEE > '
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml
index de9119227ca..aa1db398bf8 100644
--- a/rules/windows/process_creation/win_malware_emotet.yml
+++ b/rules/windows/process_creation/win_malware_emotet.yml
@@ -21,15 +21,15 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* -e* PAA*'
- - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*' # $env:userprofile
- - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*' # $env:userprofile
- - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*' # $env:userprofile
- - '*IgAoACcAKgAnACkAOwAkA*' # "('*');$
- - '*IAKAAnACoAJwApADsAJA*' # "('*');$
- - '*iACgAJwAqACcAKQA7ACQA*' # "('*');$
- - '*JABGAGwAeAByAGgAYwBmAGQ*'
+ CommandLine|contains:
+ - ' -e* PAA'
+ - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile
+ - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile
+ - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile
+ - 'IgAoACcAKgAnACkAOwAkA' # "('*');$
+ - 'IAKAAnACoAJwApADsAJA' # "('*');$
+ - 'iACgAJwAqACcAKQA7ACQA' # "('*');$
+ - 'JABGAGwAeAByAGgAYwBmAGQ'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml
index 6f5e41b32e8..d30851ea911 100644
--- a/rules/windows/process_creation/win_malware_formbook.yml
+++ b/rules/windows/process_creation/win_malware_formbook.yml
@@ -3,7 +3,7 @@ id: 032f5fb3-d959-41a5-9263-4173c802dc2b
status: experimental
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to
delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/30
modified: 2019/10/31
references:
@@ -19,14 +19,30 @@ detection:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
- ParentCommandLine:
- - 'C:\Windows\System32\\*.exe'
- - 'C:\Windows\SysWOW64\\*.exe'
- CommandLine:
- - '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe'
- - '* /c del "C:\Users\\*\Desktop\\*.exe'
- - '* /C type nul > "C:\Users\\*\Desktop\\*.exe'
- condition: selection
+ ParentCommandLine|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ ParentCommandLine|endswith:
+ - '.exe'
+ selection2:
+ - CommandLine|contains|all:
+ - '/c'
+ - 'del'
+ - 'C:\Users\'
+ - '\AppData\Local\Temp\'
+ - CommandLine|contains|all:
+ - '/c'
+ - 'del'
+ - 'C:\Users\'
+ - '\Desktop\'
+ - CommandLine|contains|all:
+ - '/C'
+ - 'type nul >'
+ - 'C:\Users\'
+ - '\Desktop\'
+ selection3:
+ CommandLine|endswith: '.exe'
+ condition: selection and selection2 and selection3
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml
index 6604463a275..4f0d44bf256 100644
--- a/rules/windows/process_creation/win_malware_notpetya.yml
+++ b/rules/windows/process_creation/win_malware_notpetya.yml
@@ -24,12 +24,14 @@ logsource:
product: windows
detection:
pipe_com:
- CommandLine: '*\AppData\Local\Temp\\* \\.\pipe\\*'
+ CommandLine|contains|all:
+ - '\AppData\Local\Temp\'
+ - '\\.\pipe\\'
rundll32_dash1:
- Image: '*\rundll32.exe'
- CommandLine: '*.dat,#1'
- perfc_keyword:
- - '*\perfc.dat*'
+ Image|endswith: '\rundll32.exe'
+ CommandLine|endswith: '.dat,#1'
+ perfc_keyword|contains:
+ - '\perfc.dat'
condition: 1 of them
fields:
- CommandLine
@@ -37,3 +39,4 @@ fields:
falsepositives:
- Admin activity
level: critical
+
diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml
index 1481a3c14a4..5e6554068a3 100644
--- a/rules/windows/process_creation/win_malware_qbot.yml
+++ b/rules/windows/process_creation/win_malware_qbot.yml
@@ -18,10 +18,10 @@ logsource:
product: windows
detection:
selection1:
- ParentImage: '*\WinRAR.exe'
- Image: '*\wscript.exe'
+ ParentImage|endswith: '\WinRAR.exe'
+ Image|endswith: '\wscript.exe'
selection2:
- CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
+ CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type '
selection3:
CommandLine|contains|all:
- 'regsvr32.exe'
diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml
index d7a8819d3cc..45961cad492 100644
--- a/rules/windows/process_creation/win_malware_script_dropper.yml
+++ b/rules/windows/process_creation/win_malware_script_dropper.yml
@@ -2,7 +2,7 @@ title: WScript or CScript Dropper
id: cea72823-df4d-4567-950c-0b579eaf0846
status: experimental
description: Detects wscript/cscript executions of scripts located in user directories
-author: Margaritis Dimitrios (idea), Florian Roth (rule)
+author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community
date: 2019/01/16
modified: 2020/09/01
tags:
@@ -15,24 +15,23 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- Image:
- - '*\wscript.exe'
- - '*\cscript.exe'
- CommandLine:
- - '* C:\Users\\*.jse *'
- - '* C:\Users\\*.vbe *'
- - '* C:\Users\\*.js *'
- - '* C:\Users\\*.vba *'
- - '* C:\Users\\*.vbs *'
- - '* C:\ProgramData\\*.jse *'
- - '* C:\ProgramData\\*.vbe *'
- - '* C:\ProgramData\\*.js *'
- - '* C:\ProgramData\\*.vba *'
- - '* C:\ProgramData\\*.vbs *'
+ selection1:
+ Image|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ CommandLine|contains:
+ - 'C:\Users\'
+ - 'C:\ProgramData\'
+ selection2:
+ CommandLine|contains:
+ - '.jse'
+ - '.vbe'
+ - '.js'
+ - '.vba'
+ - '.vbs'
falsepositive:
- ParentImage: '*\winzip*'
- condition: selection and not falsepositive
+ ParentImage|contains: '\winzip'
+ condition: selection1 and selection2 and not falsepositive
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
index 7610e73a26c..fc271bf22bb 100644
--- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
+++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
@@ -25,4 +25,4 @@ detection:
condition: selection
falsepositives:
- Rare System Admin Activity
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml
index 262ee8eeea1..815de36f20f 100644
--- a/rules/windows/process_creation/win_malware_wannacry.yml
+++ b/rules/windows/process_creation/win_malware_wannacry.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects WannaCry ransomware activity
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019/01/16
modified: 2020/09/01
tags:
@@ -23,25 +23,38 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\tasksche.exe'
- - '*\mssecsvc.exe'
- - '*\taskdl.exe'
- - '*\@WanaDecryptor@*'
- - '*\WanaDecryptor*'
- - '*\taskhsvc.exe'
- - '*\taskse.exe'
- - '*\111.exe'
- - '*\lhdfrgui.exe'
- - '*\diskpart.exe'
- - '*\linuxnew.exe'
- - '*\wannacry.exe'
+ - Image|endswith:
+ - '\tasksche.exe'
+ - '\mssecsvc.exe'
+ - '\taskdl.exe'
+ - '\taskhsvc.exe'
+ - '\taskse.exe'
+ - '\111.exe'
+ - '\lhdfrgui.exe'
+ - '\diskpart.exe'
+ - '\linuxnew.exe'
+ - '\wannacry.exe'
+ - Image|contains: 'WanaDecryptor'
selection2:
- CommandLine:
- - '*icacls * /grant Everyone:F /T /C /Q*'
- - '*bcdedit /set {default} recoveryenabled no*'
- - '*wbadmin delete catalog -quiet*'
- - '*@Please_Read_Me@.txt*'
+ - CommandLine|contains|all:
+ - 'icacls'
+ - '/grant'
+ - 'Everyone:F'
+ - '/T'
+ - '/C'
+ - '/Q'
+ - CommandLine|contains|all:
+ - 'bcdedit'
+ - '/set'
+ - '{default}'
+ - 'recoveryenabled'
+ - 'no'
+ - CommandLine|contains|all:
+ - 'wbadmin'
+ - 'delete'
+ - 'catalog'
+ - '-quiet'
+ - CommandLine|contains: '@Please_Read_Me@.txt'
condition: 1 of them
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml
new file mode 100644
index 00000000000..384015178e1
--- /dev/null
+++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml
@@ -0,0 +1,27 @@
+title: Suspicious Usage of the Manage-bde.wsf Script
+id: c363385c-f75d-4753-a108-c1a8e28bdbda
+description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
+status: experimental
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml
+ - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+ - https://twitter.com/bohops/status/980659399495741441
+ - https://twitter.com/JohnLaTwC/status/1223292479270600706
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+date: 2020/10/13
+modified: 2021/05/21
+author: oscd.community, Natalia Shornikova
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'cscript'
+ - 'manage-bde.wsf'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml
index 5fc53cdde49..f99d8cfb975 100644
--- a/rules/windows/process_creation/win_mavinject_proc_inj.yml
+++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml
@@ -18,7 +18,7 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '* /INJECTRUNNING *'
+ CommandLine|contains: ' /INJECTRUNNING '
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
index 633e060ec79..cb775d8829d 100644
--- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
+++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
@@ -1,9 +1,9 @@
title: Meterpreter or Cobalt Strike Getsystem Service Start
id: 15619216-e993-4721-b590-4c520615a67d
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
-author: Teymur Kheirkhabarov, Ecco
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
-modified: 2020/09/01
+modified: 2021/05/20
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@@ -31,6 +31,12 @@ detection:
- '/c'
- 'echo'
- '\pipe\'
+ # cobaltstrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+ - CommandLine|contains|all:
+ - 'cmd.exe'
+ - '/c'
+ - 'echo'
+ - '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- CommandLine|contains|all:
- 'rundll32'
diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml
index f5c4ef1a5a1..70641647f0a 100644
--- a/rules/windows/process_creation/win_mmc_spawn_shell.yml
+++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml
@@ -16,18 +16,20 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\mmc.exe'
- Image:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\reg.exe'
- - '*\regsvr32.exe'
- - '*\BITSADMIN*'
- condition: selection
+ ParentImage|endswith: '\mmc.exe'
+ selection2:
+ - Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\reg.exe'
+ - '\regsvr32.exe'
+ - Image|contains:
+ - '\BITSADMIN'
+ condition: selection and selection2
fields:
- CommandLine
- Image
diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
new file mode 100644
index 00000000000..970b7c6d087
--- /dev/null
+++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
@@ -0,0 +1,27 @@
+title: Modification Of Existing Services For Persistence
+id: 38879043-7e1e-47a9-8d46-6bec88e201df
+description: Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.
+references:
+ - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
+status: experimental
+tags:
+ - attack.persistence
+ - attack.t1031
+ - attack.t1058
+author: Sreeman
+date: 2020/09/29
+modified: 2021/06/11
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_cmdline_1:
+ CommandLine|re: '(?i)sc config.*binpath=.*'
+ selection_cmdline_2:
+ CommandLine|re: '(?i)sc failure.*command=.*'
+ selection_cmdline_3:
+ CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin^|\.bat|\.cmd|\.js|\.msh^|\.reg^|\.scr|\.ps|\.vb|\.jar|\.pl).*'
+ condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
new file mode 100644
index 00000000000..c601496c3a1
--- /dev/null
+++ b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
@@ -0,0 +1,27 @@
+title: Monitoring For Persistence Via BITS
+id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
+description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded
+status: experimental
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+tags:
+ - attack.defense_evasion
+references:
+ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+ - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
+ - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection_1:
+ CommandLine|re: '(?i).*bitsadmin.*/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*'
+ selection_2:
+ CommandLine|re: '(?i).*bitsadmin.*/Addfile.*(http|https|ftp|ftps):.*'
+ condition: selection_1 or selection_2
+falsepositives:
+ - None observed yet.
+fields:
+ - CommandLine
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml
index fca0d99b96a..ad6835d1aec 100644
--- a/rules/windows/process_creation/win_mshta_spawn_shell.yml
+++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml
@@ -12,18 +12,20 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\mshta.exe'
- Image:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\reg.exe'
- - '*\regsvr32.exe'
- - '*\BITSADMIN*'
- condition: selection
+ ParentImage|endswith: '\mshta.exe'
+ selection2:
+ - Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\reg.exe'
+ - '\regsvr32.exe'
+ - Image|contains:
+ - '\BITSADMIN'
+ condition: selection and selection2
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml
index cc440dc0148..9fe41f4c96c 100644
--- a/rules/windows/process_creation/win_netsh_fw_add.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add.yml
@@ -17,11 +17,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*netsh*'
+ Image|endswith: '\netsh.exe'
selection2:
- CommandLine:
- - '*firewall add*'
+ CommandLine|contains|all:
+ - 'firewall'
+ - 'add'
condition: selection1 and selection2
falsepositives:
- Legitimate administration
diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
index 601c3604758..13f3ead7363 100644
--- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
@@ -5,50 +5,56 @@ references:
- https://www.virusradar.com/en/Win32_Kasidet.AD/description
- https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
date: 2020/05/25
-modified: 2020/09/01
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.004
status: experimental
-author: Sander Wiebing
+author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
logsource:
category: process_creation
product: windows
detection:
selection1:
+ Image|endswith: '\netsh.exe'
CommandLine|contains|all:
- - 'netsh'
- - 'firewall add allowedprogram'
+ - 'firewall'
+ - 'add'
+ - 'allowedprogram'
selection2:
+ Image|endswith: '\netsh.exe'
CommandLine|contains|all:
- - netsh
- - advfirewall firewall add rule
- - action=allow
- - program=
+ - 'advfirewall'
+ - 'firewall'
+ - 'add'
+ - 'rule'
+ - 'action=allow'
+ - 'program='
susp_image:
- CommandLine|contains:
- - '*%TEMP%*'
- - '*:\RECYCLER\\*'
- - '*C:\$Recycle.bin\\*'
- - '*:\SystemVolumeInformation\\*'
- - 'C:\\Windows\\Tasks\\*'
- - 'C:\\Windows\\debug\\*'
- - 'C:\\Windows\\fonts\\*'
- - 'C:\\Windows\\help\\*'
- - 'C:\\Windows\\drivers\\*'
- - 'C:\\Windows\\addins\\*'
- - 'C:\\Windows\\cursors\\*'
- - 'C:\\Windows\\system32\tasks\\*'
- - '*C:\Windows\Temp\\*'
- - '*C:\Temp\\*'
- - '*C:\Users\Public\\*'
- - '%Public%\\*'
- - '*C:\Users\Default\\*'
- - '*C:\Users\Desktop\\*'
- - '*\Downloads\\*'
- - '*\Temporary Internet Files\Content.Outlook\\*'
- - '*\Local Settings\Temporary Internet Files\\*'
+ - CommandLine|contains:
+ - '%TEMP%'
+ - ':\RECYCLER\'
+ - 'C:\$Recycle.bin\'
+ - ':\SystemVolumeInformation\'
+ - 'C:\Windows\Temp\'
+ - 'C:\Temp\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - 'C:\Users\Desktop\'
+ - '\Downloads\'
+ - '\Temporary Internet Files\Content.Outlook\'
+ - '\Local Settings\Temporary Internet Files\'
+ - CommandLine|startswith:
+ - 'C:\Windows\Tasks\'
+ - 'C:\Windows\debug\'
+ - 'C:\Windows\fonts\'
+ - 'C:\Windows\help\'
+ - 'C:\Windows\drivers\'
+ - 'C:\Windows\addins\'
+ - 'C:\Windows\cursors\'
+ - 'C:\Windows\system32\tasks\'
+ - '%Public%\'
condition: (selection1 or selection2) and susp_image
falsepositives:
- Legitimate administration
diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml
index ad61284191f..41751f51d67 100644
--- a/rules/windows/process_creation/win_netsh_port_fwd.yml
+++ b/rules/windows/process_creation/win_netsh_port_fwd.yml
@@ -1,25 +1,38 @@
title: Netsh Port Forwarding
id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
-description: Detects netsh commands that configure a port forwarding
+description: Detects netsh commands that configure a port forwarding (PortProxy)
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+ - https://adepts.of0x.cc/netsh-portproxy-code/
+ - https://www.dfirnotes.net/portproxy_detection/
date: 2019/01/29
-modified: 2020/09/01
+modified: 2021/06/22
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.command_and_control
- attack.t1090
status: experimental
-author: Florian Roth
+author: Florian Roth, omkar72, oscd.community
logsource:
category: process_creation
product: windows
detection:
- selection:
- CommandLine:
- - netsh interface portproxy add v4tov4 *
- condition: selection
+ selection1:
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'interface'
+ - 'portproxy'
+ - 'add'
+ - 'v4tov4'
+ selection2:
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'connectp'
+ - 'listena'
+ - 'c='
+ condition: selection1 or selection2
falsepositives:
- Legitimate administration
+ - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
level: medium
diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml
index 02124e93f16..91f2c04883d 100644
--- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml
+++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml
@@ -4,20 +4,25 @@ description: Detects netsh commands that configure a port forwarding of port 338
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/29
+modified: 2020/11/28
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.command_and_control
- attack.t1090
status: experimental
-author: Florian Roth
+author: Florian Roth, oscd.community
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - netsh i* p*=3389 c*
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'i'
+ - ' p'
+ - '=3389'
+ - ' c'
condition: selection
falsepositives:
- Legitimate administration
diff --git a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
index b34ae86eeef..952ac4683ab 100644
--- a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
+++ b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
@@ -4,9 +4,9 @@ status: experimental
description: Detect the harvesting of wifi credentials using netsh.exe
references:
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
-author: Andreas Hunkeler (@Karneades)
+author: Andreas Hunkeler (@Karneades), oscd.community
date: 2020/04/20
-modified: 2020/09/01
+modified: 2020/11/28
tags:
- attack.discovery
- attack.credential_access
@@ -16,8 +16,13 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - 'netsh wlan s* p* k*=clear'
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'wlan'
+ - ' s'
+ - ' p'
+ - ' k'
+ - '=clear'
condition: selection
falsepositives:
- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason
diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml
new file mode 100644
index 00000000000..b42648cc40a
--- /dev/null
+++ b/rules/windows/process_creation/win_nltest_query.yml
@@ -0,0 +1,24 @@
+title: Nltest Credential Hash Theft
+id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
+description: Detects nltest query commands which may leak credential hashes
+references:
+ - https://twitter.com/sysopfb/status/986799053668139009
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml
+date: 2018/04/18
+modified: 2021/01/05
+tags:
+ - attack.credential_access
+ - attack.t1003
+status: experimental
+author: Craig Young, oscd.community
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\nltest.exe'
+ CommandLine|contains: '\query'
+ condition: selection
+falsepositives:
+ - Legitimate administration
+level: medium
diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml
index 32caed855bd..68cb6815dae 100644
--- a/rules/windows/process_creation/win_non_interactive_powershell.yml
+++ b/rules/windows/process_creation/win_non_interactive_powershell.yml
@@ -3,10 +3,10 @@ id: f4bbd493-b796-416e-bbf2-121235348529
description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
status: experimental
date: 2019/09/12
-modified: 2019/11/10
+modified: 2021/05/10
author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
tags:
- attack.execution
- attack.t1086 # an old one
@@ -18,8 +18,10 @@ detection:
selection:
Image|endswith: '\powershell.exe'
filter:
- ParentImage|endswith: '\explorer.exe'
+ ParentImage|endswith:
+ - '\explorer.exe'
+ - '\CompatTelRunner.exe'
condition: selection and not filter
falsepositives:
- Legitimate programs executing PowerShell scripts
-level: medium
+level: low
diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml
new file mode 100644
index 00000000000..8ff4bf02403
--- /dev/null
+++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml
@@ -0,0 +1,45 @@
+title: Non-privileged Usage of Reg or Powershell
+id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
+description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ integrity_level:
+ IntegrityLevel: 'Medium'
+ reg:
+ CommandLine|contains|all:
+ - 'reg'
+ - 'add'
+ powershell_1:
+ CommandLine|contains: 'powershell'
+ powershell_2:
+ CommandLine|contains:
+ - 'set-itemproperty'
+ - ' sp '
+ - 'new-itemproperty'
+ registry_folder:
+ CommandLine|contains|all:
+ - 'ControlSet'
+ - 'Services'
+ registry_key:
+ CommandLine|contains:
+ - 'ImagePath'
+ - 'FailureCommand'
+ - 'ServiceDLL'
+ condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key
+fields:
+ - EventID
+ - IntegrityLevel
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml
index a91b4bd974a..e1f5ea7c365 100644
--- a/rules/windows/process_creation/win_office_shell.yml
+++ b/rules/windows/process_creation/win_office_shell.yml
@@ -17,36 +17,36 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\WINWORD.EXE'
- - '*\EXCEL.EXE'
- - '*\POWERPNT.exe'
- - '*\MSPUB.exe'
- - '*\VISIO.exe'
- - '*\OUTLOOK.EXE'
- - '*\MSACCESS.EXE'
- - '*\EQNEDT32.EXE'
- Image:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\scrcons.exe'
- - '*\schtasks.exe'
- - '*\regsvr32.exe'
- - '*\hh.exe'
- - '*\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- - '*\mshta.exe'
- - '*\rundll32.exe'
- - '*\msiexec.exe'
- - '*\forfiles.exe'
- - '*\scriptrunner.exe'
- - '*\mftrace.exe'
- - '*\AppVLP.exe'
- - '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- - '*\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
+ ParentImage|endswith:
+ - '\WINWORD.EXE'
+ - '\EXCEL.EXE'
+ - '\POWERPNT.exe'
+ - '\MSPUB.exe'
+ - '\VISIO.exe'
+ - '\OUTLOOK.EXE'
+ - '\MSACCESS.EXE'
+ - '\EQNEDT32.EXE'
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\scrcons.exe'
+ - '\schtasks.exe'
+ - '\regsvr32.exe'
+ - '\hh.exe'
+ - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
+ - '\mshta.exe'
+ - '\rundll32.exe'
+ - '\msiexec.exe'
+ - '\forfiles.exe'
+ - '\scriptrunner.exe'
+ - '\mftrace.exe'
+ - '\AppVLP.exe'
+ - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
+ - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
index 403ddd8a998..cf43685fc8f 100644
--- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
+++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
@@ -11,24 +11,26 @@ tags:
- attack.t1204.002
- FIN7
- car.2013-05-002
-author: Jason Lynch
+author: Jason Lynch
date: 2019/04/02
-modified: 2020/09/01
+modified: 2021/04/01
logsource:
category: process_creation
product: windows
detection:
selection:
- ParentImage:
- - '*\WINWORD.EXE'
- - '*\EXCEL.EXE'
- - '*\POWERPNT.exe'
- - '*\MSPUB.exe'
- - '*\VISIO.exe'
- - '*\OUTLOOK.EXE'
- Image:
- - 'C:\users\\*.exe'
- condition: selection
+ ParentImage|endswith:
+ - '\WINWORD.EXE'
+ - '\EXCEL.EXE'
+ - '\POWERPNT.exe'
+ - '\MSPUB.exe'
+ - '\VISIO.exe'
+ # - '\OUTLOOK.EXE' too many FPs
+ Image|startswith: 'C:\users\'
+ Image|endswith: '.exe'
+ filter:
+ Image|endswith: '\Teams.exe'
+ condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
index 557ac9154fd..73522132f0e 100644
--- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
+++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
@@ -7,6 +7,7 @@ references:
- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
author: Florian Roth
date: 2017/06/12
+modified: 2020/11/28
tags:
- attack.s0013
- attack.defense_evasion
@@ -17,75 +18,88 @@ logsource:
product: windows
detection:
selection_cammute:
- Image: '*\CamMute.exe'
+ Image|endswith: '\CamMute.exe'
filter_cammute:
- Image: '*\Lenovo\Communication Utility\\*'
+ Image|contains:
+ - '\Lenovo\Communication Utility\'
+ - '\Lenovo\Communications Utility\'
selection_chrome_frame:
- Image: '*\chrome_frame_helper.exe'
+ Image|endswith: '\chrome_frame_helper.exe'
filter_chrome_frame:
- Image: '*\Google\Chrome\application\\*'
+ Image|contains: '\Google\Chrome\application\'
selection_devemu:
- Image: '*\dvcemumanager.exe'
+ Image|endswith: '\dvcemumanager.exe'
filter_devemu:
- Image: '*\Microsoft Device Emulator\\*'
+ Image|contains: '\Microsoft Device Emulator\'
selection_gadget:
- Image: '*\Gadget.exe'
+ Image|endswith: '\Gadget.exe'
filter_gadget:
- Image: '*\Windows Media Player\\*'
+ Image|contains: '\Windows Media Player\'
selection_hcc:
- Image: '*\hcc.exe'
+ Image|endswith: '\hcc.exe'
filter_hcc:
- Image: '*\HTML Help Workshop\\*'
+ Image|contains: '\HTML Help Workshop\'
selection_hkcmd:
- Image: '*\hkcmd.exe'
+ Image|endswith: '\hkcmd.exe'
filter_hkcmd:
- Image:
- - '*\System32\\*'
- - '*\SysNative\\*'
- - '*\SysWowo64\\*'
+ Image|contains:
+ - '\System32\'
+ - '\SysNative\'
+ - '\SysWowo64\'
selection_mc:
- Image: '*\Mc.exe'
+ Image|endswith: '\Mc.exe'
filter_mc:
- Image:
- - '*\Microsoft Visual Studio*'
- - '*\Microsoft SDK*'
- - '*\Windows Kit*'
+ Image|contains:
+ - '\Microsoft Visual Studio'
+ - '\Microsoft SDK'
+ - '\Windows Kit'
selection_msmpeng:
- Image: '*\MsMpEng.exe'
+ Image|endswith: '\MsMpEng.exe'
filter_msmpeng:
- Image:
- - '*\Microsoft Security Client\\*'
- - '*\Windows Defender\\*'
- - '*\AntiMalware\\*'
+ Image|contains:
+ - '\Microsoft Security Client\'
+ - '\Windows Defender\'
+ - '\AntiMalware\'
selection_msseces:
- Image: '*\msseces.exe'
+ Image|endswith: '\msseces.exe'
filter_msseces:
- Image:
- - '*\Microsoft Security Center\\*'
- - '*\Microsoft Security Client\\*'
- - '*\Microsoft Security Essentials\\*'
+ Image|contains:
+ - '\Microsoft Security Center\'
+ - '\Microsoft Security Client\'
+ - '\Microsoft Security Essentials\'
selection_oinfo:
- Image: '*\OInfoP11.exe'
+ Image|endswith: '\OInfoP11.exe'
filter_oinfo:
- Image: '*\Common Files\Microsoft Shared\\*'
+ Image|contains: '\Common Files\Microsoft Shared\'
selection_oleview:
- Image: '*\OleView.exe'
+ Image|endswith: '\OleView.exe'
filter_oleview:
- Image:
- - '*\Microsoft Visual Studio*'
- - '*\Microsoft SDK*'
- - '*\Windows Kit*'
- - '*\Windows Resource Kit\\*'
+ Image|contains:
+ - '\Microsoft Visual Studio'
+ - '\Microsoft SDK'
+ - '\Windows Kit'
+ - '\Windows Resource Kit\'
selection_rc:
- Image: '*\rc.exe'
+ Image|endswith: '\rc.exe'
filter_rc:
- Image:
- - '*\Microsoft Visual Studio*'
- - '*\Microsoft SDK*'
- - '*\Windows Kit*'
- - '*\Windows Resource Kit\\*'
- - '*\Microsoft.NET\\*'
- condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
+ Image|contains:
+ - '\Microsoft Visual Studio'
+ - '\Microsoft SDK'
+ - '\Windows Kit'
+ - '\Windows Resource Kit\'
+ - '\Microsoft.NET\'
+ condition: ( selection_cammute and not filter_cammute ) or
+ ( selection_chrome_frame and not filter_chrome_frame ) or
+ ( selection_devemu and not filter_devemu ) or
+ ( selection_gadget and not filter_gadget ) or
+ ( selection_hcc and not filter_hcc ) or
+ ( selection_hkcmd and not filter_hkcmd ) or
+ ( selection_mc and not filter_mc ) or
+ ( selection_msmpeng and not filter_msmpeng ) or
+ ( selection_msseces and not filter_msseces ) or
+ ( selection_oinfo and not filter_oinfo ) or
+ ( selection_oleview and not filter_oleview ) or
+ ( selection_rc and not filter_rc )
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml
index 3d110023923..23f1284152b 100644
--- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml
+++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml
@@ -17,11 +17,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*System.Management.Automation.AmsiUtils*'
+ CommandLine|contains:
+ - 'System.Management.Automation.AmsiUtils'
selection2:
- CommandLine:
- - '*amsiInitFailed*'
+ CommandLine|contains:
+ - 'amsiInitFailed'
condition: selection1 and selection2
falsepositives:
- Potential Admin Activity
diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml
index 3ae30acca73..48b87eab2fb 100644
--- a/rules/windows/process_creation/win_powershell_b64_shellcode.yml
+++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml
@@ -15,11 +15,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*AAAAYInlM*'
+ CommandLine|contains: 'AAAAYInlM'
selection2:
- CommandLine:
- - '*OiCAAAAYInlM*'
- - '*OiJAAAAYInlM*'
+ CommandLine|contains:
+ - 'OiCAAAAYInlM'
+ - 'OiJAAAAYInlM'
condition: selection1 and selection2
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_powershell_defender_exclusion.yml b/rules/windows/process_creation/win_powershell_defender_exclusion.yml
new file mode 100644
index 00000000000..2a6191fc011
--- /dev/null
+++ b/rules/windows/process_creation/win_powershell_defender_exclusion.yml
@@ -0,0 +1,32 @@
+title: Powershell Defender Exclusion
+id: 17769c90-230e-488b-a463-e05c08e9d48f
+status: experimental
+description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
+references:
+ - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
+author: Florian Roth
+date: 2021/04/29
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine: 'Add-MpPreference'
+ selection2:
+ CommandLine|contains:
+ - ' -ExclusionPath '
+ - ' -ExclusionExtension '
+ - ' -ExclusionProcess '
+ selection_encoded:
+ CommandLine|contains:
+ - 'QWRkLU1wUHJlZmVyZW5jZ'
+ - 'FkZC1NcFByZWZlcmVuY2'
+ - 'BZGQtTXBQcmVmZXJlbmNl'
+ condition: ( selection1 and selection2 ) or selection_encoded
+falsepositives:
+ - Possible Admin Activity
+ - Other Cmdlets that may use the same parameters
+level: high
diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml
new file mode 100644
index 00000000000..ebfb84ed875
--- /dev/null
+++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml
@@ -0,0 +1,39 @@
+title: Powershell Used To Disable Windows Defender AV Security Monitoring
+id: a7ee1722-c3c5-aeff-3212-c777e4733217
+status: experimental
+description: Detects attackers attempting to disable Windows Defender using Powershell
+author: 'ok @securonix invrep-de, oscd.community, frack113'
+date: 2020/10/12
+modified: 2021/06/07
+references:
+ - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
+ - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+tags:
+ - attack.defense_evasion
+ - attack.t1089 # legacy
+ - attack.t1562.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - '-DisableBehaviorMonitoring $true'
+ - '-DisableRuntimeMonitoring $true'
+ tamper_cmd_stop:
+ CommandLine|contains|all:
+ - sc
+ - stop
+ - WinDefend
+ tamper_cmd_disabled:
+ CommandLine|contains|all:
+ - sc
+ - config
+ - WinDefend
+ - 'start=disabled'
+ condition: 1 of them
+falsepositives:
+ - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
+level: high
diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml
index 41dc3294d10..4478fccdf6f 100644
--- a/rules/windows/process_creation/win_powershell_dll_execution.yml
+++ b/rules/windows/process_creation/win_powershell_dll_execution.yml
@@ -16,15 +16,15 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\rundll32.exe'
+ Image|endswith:
+ - '\rundll32.exe'
selection2:
- Description:
- - '*Windows-Hostprozess (Rundll32)*'
+ Description|contains:
+ - 'Windows-Hostprozess (Rundll32)'
selection3:
- CommandLine:
- - '*Default.GetString*'
- - '*FromBase64String*'
+ CommandLine|contains:
+ - 'Default.GetString'
+ - 'FromBase64String'
condition: (selection1 or selection2) and selection3
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml
index e142a17d260..3db56ae9729 100644
--- a/rules/windows/process_creation/win_powershell_download.yml
+++ b/rules/windows/process_creation/win_powershell_download.yml
@@ -2,7 +2,7 @@ title: PowerShell Download from URL
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
status: experimental
description: Detects a Powershell process that contains download commands in its command line string
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/01/16
tags:
- attack.t1086 # an old one
@@ -13,12 +13,14 @@ logsource:
product: windows
detection:
selection:
- Image: '*\powershell.exe'
- CommandLine:
- - '*new-object system.net.webclient).downloadstring(*'
- - '*new-object system.net.webclient).downloadfile(*'
- - '*new-object net.webclient).downloadstring(*'
- - '*new-object net.webclient).downloadfile(*'
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'new-object'
+ - 'net.webclient).'
+ - 'download'
+ CommandLine|contains:
+ - 'string('
+ - 'file('
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml
index 5d598868f92..b044d26ee48 100644
--- a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml
+++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml
@@ -2,11 +2,12 @@ title: Powershell Reverse Shell Connection
id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
status: experimental
description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
-author: FPT.EagleEye
+author: FPT.EagleEye, wagga
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
date: 2021/03/03
+modified: 2021/06/27
tags:
- attack.execution
- attack.t1086
@@ -16,9 +17,9 @@ logsource:
product: windows
detection:
selection:
- Image: '*\powershell.exe'
- CommandLine:
- - '*new-object system.net.sockets.tcpclient*'
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'new-object system.net.sockets.tcpclient'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
index 4509852b1e7..4f722ef266a 100644
--- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
+++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
@@ -12,15 +12,24 @@ logsource:
product: windows
category: process_creation
detection:
- selection:
- ParentImage:
- - '*\powershell.exe'
- CommandLine:
- - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*'
- - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*'
- - '*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*'
- - '*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*'
- condition: selection
+ selection1:
+ ParentImage|endswith: '\powershell.exe'
+ Image|endswith: '\schtasks.exe'
+ CommandLine|contains|all:
+ - '/Create'
+ - '/SC'
+ selection2:
+ CommandLine|contains:
+ - 'ONLOGON'
+ - 'DAILY'
+ - 'ONIDLE'
+ - 'Updater'
+ CommandLine|contains|all:
+ - '/TN'
+ - 'Updater'
+ - '/TR'
+ - 'powershell'
+ condition: selection1 and selection2
tags:
- attack.execution
- attack.persistence
diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml
index ed200d80648..f58e6cea408 100644
--- a/rules/windows/process_creation/win_proc_wrong_parent.yml
+++ b/rules/windows/process_creation/win_proc_wrong_parent.yml
@@ -9,7 +9,7 @@ references:
- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
- https://attack.mitre.org/techniques/T1036/
date: 2019/02/23
-modified: 2020/09/06
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1036 # an old one
@@ -20,25 +20,29 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\svchost.exe'
- - '*\taskhost.exe'
- - '*\lsm.exe'
- - '*\lsass.exe'
- - '*\services.exe'
- - '*\lsaiso.exe'
- - '*\csrss.exe'
- - '*\wininit.exe'
- - '*\winlogon.exe'
- filter:
- ParentImage:
- - '*\System32\\*'
- - '*\SysWOW64\\*'
- - '*\SavService.exe'
- - '*\Windows Defender\\*\MsMpEng.exe'
+ Image|endswith:
+ - '\svchost.exe'
+ - '\taskhost.exe'
+ - '\lsm.exe'
+ - '\lsass.exe'
+ - '\services.exe'
+ - '\lsaiso.exe'
+ - '\csrss.exe'
+ - '\wininit.exe'
+ - '\winlogon.exe'
+ filter1:
+ - ParentImage|endswith: '\SavService.exe'
+ - ParentImage|contains:
+ - '\System32\'
+ - '\SysWOW64\'
+ filter2:
+ ParentImage|contains:
+ - '\Windows Defender\'
+ - '\Microsoft Security Client\'
+ ParentImage|endswith: '\MsMpEng.exe'
filter_null:
ParentImage: null
- condition: selection and not filter and not filter_null
+ condition: selection and not filter1 and not filter2 and not filter_null
falsepositives:
- Some security products seem to spawn these
level: low
diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml
index 96051f6f0d8..4cbadca4c3c 100644
--- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml
+++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml
@@ -19,13 +19,13 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\bitsadmin.exe'
- CommandLine:
- - '* /transfer *'
+ Image|endswith:
+ - '\bitsadmin.exe'
+ CommandLine|contains:
+ - ' /transfer '
selection2:
- CommandLine:
- - '*copy bitsadmin.exe*'
+ CommandLine|contains:
+ - 'copy bitsadmin.exe'
condition: selection1 or selection2
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
index 7e1eb8cb636..d75fdc85a3f 100644
--- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
+++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
@@ -4,9 +4,10 @@ description: Detects a process memory dump performed via ordinal function 24 in
status: experimental
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
+ - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
author: Florian Roth
date: 2020/02/18
-modified: 2020/09/06
+modified: 2021/04/23
tags:
- attack.defense_evasion
- attack.t1036
@@ -22,6 +23,7 @@ detection:
CommandLine|contains:
- 'comsvcs.dll,#24'
- 'comsvcs.dll,MiniDump'
+ - 'comsvcs.dll MiniDump'
condition: selection
falsepositives:
- Unlikely, because no one should dump the process memory in that way
diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml
new file mode 100644
index 00000000000..503b7a6563b
--- /dev/null
+++ b/rules/windows/process_creation/win_purplesharp_indicators.yml
@@ -0,0 +1,23 @@
+title: PurpleSharp Indicator
+id: ff23ffbc-3378-435e-992f-0624dcf93ab4
+status: experimental
+description: Detect
+author: Florian Roth
+date: 2021/06/18
+references:
+ - https://github.com/mvelazc0/PurpleSharp
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains:
+ - xyz123456.exe
+ - PurpleSharp
+ selection2:
+ OriginalFilename:
+ - 'PurpleSharp.exe'
+ condition: selection1 or selection2
+falsepositives:
+ - Unlikely
+level: critical
diff --git a/rules/windows/process_creation/win_rasautou_dll_execution.yml b/rules/windows/process_creation/win_rasautou_dll_execution.yml
new file mode 100644
index 00000000000..fef616b20ce
--- /dev/null
+++ b/rules/windows/process_creation/win_rasautou_dll_execution.yml
@@ -0,0 +1,30 @@
+title: DLL Execution via Rasautou.exe
+id: cd3d1298-eb3b-476c-ac67-12847de55813
+description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
+status: experimental
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
+ - https://github.com/fireeye/DueDLLigence
+ - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ product: windows
+ category: process_creation
+ definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
+detection:
+ use_rasautou:
+ Image|endswith: '\rasautou.exe'
+ remaned_rasautou:
+ OriginalFileName: 'rasdlui.exe'
+ special_keys:
+ CommandLine|contains|all:
+ - '-d'
+ - '-p'
+ condition: (use_rasautou or remaned_rasautou) and special_keys
+level: medium
+falsepositives:
+ - Unlikely
diff --git a/rules/windows/process_creation/win_reg_add_run_key.yml b/rules/windows/process_creation/win_reg_add_run_key.yml
new file mode 100644
index 00000000000..0cd6b85450e
--- /dev/null
+++ b/rules/windows/process_creation/win_reg_add_run_key.yml
@@ -0,0 +1,22 @@
+title: Reg Add RUN Key
+id: de587dce-915e-4218-aac4-835ca6af6f70
+description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
+status: experimental
+date: 2021/06/28
+author: Florian Roth
+references:
+ - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
+ - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'reg'
+ - ' ADD '
+ - 'Software\Microsoft\Windows\CurrentVersion\Run'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_regedit_export_critical_keys.yml b/rules/windows/process_creation/win_regedit_export_critical_keys.yml
new file mode 100644
index 00000000000..472265a7c52
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_export_critical_keys.yml
@@ -0,0 +1,35 @@
+title: Exports Critical Registry Keys To a File
+id: 82880171-b475-4201-b811-e9c826cd5eaa
+status: experimental
+description: Detects the export of a crital Registry key to a file.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.exfiltration
+ - attack.t1012
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains: ' /E '
+ selection_2:
+ CommandLine|contains:
+ - 'hklm'
+ - 'hkey_local_machine'
+ selection_3:
+ CommandLine|endswith:
+ - '\system'
+ - '\sam'
+ - '\security'
+ condition: selection and selection_2 and selection_3
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+level: high
diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml
new file mode 100644
index 00000000000..e3454faf484
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_export_keys.yml
@@ -0,0 +1,35 @@
+title: Exports Registry Key To a File
+id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
+status: experimental
+description: Detects the export of the target Registry key to a file.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.exfiltration
+ - attack.t1012
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains: ' /E '
+ filter_1: # filters to avoid intersection with critical keys rule
+ CommandLine|contains:
+ - 'hklm'
+ - 'hkey_local_machine'
+ filter_2:
+ CommandLine|endswith:
+ - '\system'
+ - '\sam'
+ - '\security'
+ condition: selection and not (filter_1 and filter_2)
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Legitimate export of keys
+level: low
diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml
new file mode 100644
index 00000000000..176da7f7256
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_import_keys.yml
@@ -0,0 +1,35 @@
+title: Imports Registry Key From a File
+id: 73bba97f-a82d-42ce-b315-9182e76c57b1
+status: experimental
+description: Detects the import of the specified file to the registry with regedit.exe.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains:
+ - ' /i '
+ - '.reg'
+ filter:
+ CommandLine|contains:
+ - ' /e '
+ - ' /a '
+ - ' /c '
+ filter_2:
+ CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
+ condition: selection and not filter and not filter_2
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Legitimate import of keys
+level: medium
diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml
new file mode 100644
index 00000000000..2d347763a5f
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml
@@ -0,0 +1,35 @@
+title: Imports Registry Key From an ADS
+id: 0b80ade5-6997-4b1d-99a1-71701778ea61
+status: experimental
+description: Detects the import of a alternate datastream to the registry with regedit.exe.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains:
+ - ' /i '
+ - '.reg'
+ selection_2:
+ CommandLine|re: ':[^ \\]'
+ filter:
+ CommandLine|contains:
+ - ' /e '
+ - ' /a '
+ - ' /c '
+ condition: selection and selection_2 and not filter
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml
new file mode 100644
index 00000000000..3f1a340c171
--- /dev/null
+++ b/rules/windows/process_creation/win_regini.yml
@@ -0,0 +1,29 @@
+title: Modifies the Registry From a File
+id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
+status: experimental
+description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/08
+modified: 2021/05/24
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regini.exe'
+ filter:
+ CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
+ condition: selection and not filter
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Legitimate modification of keys
+level: low
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml
new file mode 100644
index 00000000000..9844421cd3e
--- /dev/null
+++ b/rules/windows/process_creation/win_regini_ads.yml
@@ -0,0 +1,28 @@
+title: Modifies the Registry From a ADS
+id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
+status: experimental
+description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/12
+modified: 2021/05/24
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regini.exe'
+ CommandLine|re: ':[^ \\]'
+ condition: selection
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml
index 7490d9b6d17..00a033cb04d 100644
--- a/rules/windows/process_creation/win_remote_powershell_session_process.yml
+++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml
@@ -1,12 +1,12 @@
-title: Remote PowerShell Session
+title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
-description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
+description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session)
status: experimental
date: 2019/09/12
-modified: 2019/11/10
+modified: 2021/05/21
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1086 # an old one
diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
index 9e4d26755ea..ec8c67dc13c 100644
--- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
+++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
@@ -33,20 +33,20 @@ detection:
- "cmstp.exe"
- "msiexec.exe"
filter:
- Image:
- - '*\powershell.exe'
- - '*\powershell_ise.exe'
- - '*\psexec.exe'
- - '*\psexec64.exe'
- - '*\cscript.exe'
- - '*\wscript.exe'
- - '*\mshta.exe'
- - '*\regsvr32.exe'
- - '*\wmic.exe'
- - '*\certutil.exe'
- - '*\rundll32.exe'
- - '*\cmstp.exe'
- - '*\msiexec.exe'
+ Image|endswith:
+ - '\powershell.exe'
+ - '\powershell_ise.exe'
+ - '\psexec.exe'
+ - '\psexec64.exe'
+ - '\cscript.exe'
+ - '\wscript.exe'
+ - '\mshta.exe'
+ - '\regsvr32.exe'
+ - '\wmic.exe'
+ - '\certutil.exe'
+ - '\rundll32.exe'
+ - '\cmstp.exe'
+ - '\msiexec.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
diff --git a/rules/windows/process_creation/win_renamed_megasync.yml b/rules/windows/process_creation/win_renamed_megasync.yml
new file mode 100644
index 00000000000..71cf3eae227
--- /dev/null
+++ b/rules/windows/process_creation/win_renamed_megasync.yml
@@ -0,0 +1,27 @@
+title: Renamed MegaSync
+id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
+status: experimental
+description: Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
+references:
+ - https://redcanary.com/blog/rclone-mega-extortion/
+author: Sittikorn S
+date: 2021/06/22
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection_proc:
+ ParentImage|endswith: '\explorer.exe'
+ CommandLine|contains: 'C:\Windows\Temp\meg.exe'
+ selection_orig:
+ OriginalFileName: 'meg.exe'
+ filter:
+ Image|endswith: '\meg.exe'
+ condition: selection_proc or ( selection_orig and not filter )
+falsepositives:
+ - Software that illegaly integrates MegaSync in a renamed form
+ - Administrators that have renamed MegaSync
+level: high
diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml
index 04c1cbb3a99..b062debd096 100644
--- a/rules/windows/process_creation/win_renamed_paexec.yml
+++ b/rules/windows/process_creation/win_renamed_paexec.yml
@@ -22,8 +22,8 @@ logsource:
product: windows
detection:
selection1:
- Product:
- - '*PAExec*'
+ Product|contains:
+ - 'PAExec'
selection2:
Imphash:
- 11D40A7B7876288F919AB819CC2D9802
@@ -31,5 +31,5 @@ detection:
- dfd6aa3f7b2b1035b76b718f1ddc689f
- 1a6cca4d5460b1710a12dea39e4a592c
filter1:
- Image: '*paexec*'
+ Image|contains: 'paexec'
condition: (selection1 and selection2) and not filter1
diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml
index 0b42596ed0a..84ff273fdf6 100644
--- a/rules/windows/process_creation/win_renamed_powershell.yml
+++ b/rules/windows/process_creation/win_renamed_powershell.yml
@@ -20,9 +20,9 @@ detection:
Description: 'Windows PowerShell'
Company: 'Microsoft Corporation'
filter:
- Image:
- - '*\powershell.exe'
- - '*\powershell_ise.exe'
+ Image|endswith:
+ - '\powershell.exe'
+ - '\powershell_ise.exe'
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml
index fbcb1d6e541..8b9bad991cd 100644
--- a/rules/windows/process_creation/win_renamed_procdump.yml
+++ b/rules/windows/process_creation/win_renamed_procdump.yml
@@ -6,7 +6,7 @@ references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth
date: 2019/11/18
-modified: 2020/09/06
+modified: 2021/04/29
tags:
- attack.defense_evasion
- attack.t1036 # an old one
@@ -15,13 +15,21 @@ logsource:
product: windows
category: process_creation
detection:
- selection:
+ selection1:
OriginalFileName: 'procdump'
- filter:
- Image:
- - '*\procdump.exe'
- - '*\procdump64.exe'
- condition: selection and not filter
+ filter1:
+ Image|endswith:
+ - '\procdump.exe'
+ - '\procdump64.exe'
+ selection2:
+ CommandLine|contains|all:
+ - ' -ma '
+ - ' -accepteula '
+ filter2:
+ CommandLine|contains:
+ - '\procdump.exe'
+ - '\procdump64.exe'
+ condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 )
falsepositives:
- Procdump illegaly bundled with legitimate software
- Weird admins who renamed binaries
diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml
index 4a1ab224463..d599d6e0ee1 100644
--- a/rules/windows/process_creation/win_renamed_psexec.yml
+++ b/rules/windows/process_creation/win_renamed_psexec.yml
@@ -20,9 +20,9 @@ detection:
Description: 'Execute processes remotely'
Product: 'Sysinternals PsExec'
filter:
- Image:
- - '*\PsExec.exe'
- - '*\PsExec64.exe'
+ Image|endswith:
+ - '\PsExec.exe'
+ - '\PsExec64.exe'
condition: selection and not filter
falsepositives:
- Software that illegaly integrates PsExec in a renamed form
diff --git a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml
new file mode 100644
index 00000000000..e8bda9dfc3c
--- /dev/null
+++ b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml
@@ -0,0 +1,25 @@
+title: Run PowerShell Script from Redirected Input Stream
+id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
+status: experimental
+description: Detects PowerShell script execution via input stream redirect
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml
+ - https://twitter.com/Moriarty_Meng/status/984380793383370752
+author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
+date: 2020/10/17
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1059
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ powershell_started:
+ Image|endswith: '\powershell.exe'
+ redirect_to_input_stream:
+ CommandLine|re: '\s-\s*<'
+ condition: powershell_started and redirect_to_input_stream
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_run_virtualbox.yml b/rules/windows/process_creation/win_run_virtualbox.yml
new file mode 100644
index 00000000000..20c4e94b967
--- /dev/null
+++ b/rules/windows/process_creation/win_run_virtualbox.yml
@@ -0,0 +1,37 @@
+title: Detect Virtualbox Driver Installation OR Starting Of VMs
+id: bab049ca-7471-4828-9024-38279a4c04da
+status: experimental
+description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
+references:
+ - https://attack.mitre.org/techniques/T1564/006/
+ - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+ - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
+author: Janantha Marasinghe
+date: 2020/09/26
+modified: 2021/06/27
+tags:
+ - attack.defense_evasion
+ - attack.t1564.006
+ - attack.t1564
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_1:
+ CommandLine|contains:
+ - 'VBoxRT.dll,RTR3Init'
+ - 'VBoxC.dll'
+ - 'VBoxDrv.sys'
+ selection_2:
+ CommandLine|contains:
+ - 'startvm'
+ - 'controlvm'
+ condition: selection_1 or selection_2
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - This may have false positives on hosts where Virtualbox is legitimately being used for operations
+level: low
diff --git a/rules/windows/process_creation/win_script_event_consumer_spawn.yml b/rules/windows/process_creation/win_script_event_consumer_spawn.yml
new file mode 100644
index 00000000000..7c525990ec7
--- /dev/null
+++ b/rules/windows/process_creation/win_script_event_consumer_spawn.yml
@@ -0,0 +1,38 @@
+title: Script Event Consumer Spawning Processs
+id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
+status: experimental
+description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
+references:
+ - https://redcanary.com/blog/child-processes/
+ - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
+author: Sittikorn S
+date: 2021/06/21
+tags:
+ - attack.execution
+ - attack.t1047
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith:
+ - '\scrcons.exe'
+ Image|endswith:
+ - '\svchost.exe'
+ - '\dllhost.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\schtasks.exe'
+ - '\regsvr32.exe'
+ - '\mshta.exe'
+ - '\rundll32.exe'
+ - '\msiexec.exe'
+ - '\msbuild.exe'
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
index 3abe5ff234c..66b939845bd 100644
--- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
+++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
@@ -11,17 +11,20 @@ tags:
- attack.t1138 # an old one
author: Markus Neis
date: 2019/01/16
-modified: 2020/09/06
+modified: 2021/04/01
logsource:
category: process_creation
product: windows
detection:
selection:
- Image:
- - '*\sdbinst.exe'
- CommandLine:
- - '*.sdb*'
- condition: selection
+ Image|endswith:
+ - '\sdbinst.exe'
+ CommandLine|contains:
+ - '.sdb'
+ filter:
+ - CommandLine|contains:
+ - 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
+ condition: selection and not filter
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml
index 43bdfd90cc3..45e71b95fd9 100644
--- a/rules/windows/process_creation/win_shadow_copies_deletion.yml
+++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml
@@ -2,14 +2,17 @@ title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
-author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019/10/22
+modified: 2021/06/02
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+ - https://github.com/Neo23x0/Raccine#the-process
+ - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
tags:
- attack.defense_evasion
- attack.impact
@@ -19,15 +22,23 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
+ selection1:
Image|endswith:
- '\powershell.exe'
- '\wmic.exe'
- '\vssadmin.exe'
+ - '\diskshadow.exe'
CommandLine|contains|all:
- - shadow # will mach "delete shadows" and "shadowcopy delete"
+ - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- delete
- condition: selection
+ selection2:
+ Image|endswith:
+ - '\wbadmin.exe'
+ CommandLine|contains|all:
+ - delete
+ - catalog
+ - quiet # will match -quiet or /quiet
+ condition: 1 of selection*
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_shell_spawn_mshta.yml b/rules/windows/process_creation/win_shell_spawn_mshta.yml
new file mode 100644
index 00000000000..d77e607c142
--- /dev/null
+++ b/rules/windows/process_creation/win_shell_spawn_mshta.yml
@@ -0,0 +1,33 @@
+title: Mshta Spawning Windows Shell
+id: 772bb24c-8df2-4be0-9157-ae4dfa794037
+status: experimental
+description: Detects a suspicious child process of a mshta.exe process
+references:
+ - https://app.any.run/tasks/f0fac90f-84ac-4faa-b5b2-f4353c388969/#
+ - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
+author: Florian Roth
+date: 2021/06/28
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1064 # an old one
+ - attack.t1059.005
+ - attack.t1059.001
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\mshta.exe'
+ Image|endswith:
+ - '\powershell.exe'
+ - '\cmd.exe'
+ - '\WScript.exe'
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml
index 326513aee88..0463c67c64f 100644
--- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml
+++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml
@@ -19,22 +19,22 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\mshta.exe'
- - '*\powershell.exe'
+ ParentImage|endswith:
+ - '\mshta.exe'
+ - '\powershell.exe'
# - '*\cmd.exe' # too many false positives
- - '*\rundll32.exe'
- - '*\cscript.exe'
- - '*\wscript.exe'
- - '*\wmiprvse.exe'
- Image:
- - '*\schtasks.exe'
- - '*\nslookup.exe'
- - '*\certutil.exe'
- - '*\bitsadmin.exe'
- - '*\mshta.exe'
+ - '\rundll32.exe'
+ - '\cscript.exe'
+ - '\wscript.exe'
+ - '\wmiprvse.exe'
+ Image|endswith:
+ - '\schtasks.exe'
+ - '\nslookup.exe'
+ - '\certutil.exe'
+ - '\bitsadmin.exe'
+ - '\mshta.exe'
falsepositives:
- CurrentDirectory: '*\ccmcache\\*'
+ CurrentDirectory|contains: '\ccmcache\'
condition: selection and not falsepositives
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml
index 41e4e6cc196..66fa5a3f6ba 100644
--- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml
+++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml
@@ -23,8 +23,5 @@ logsource:
product: windows
---
logsource:
+ category: image_load
product: windows
- service: sysmon
-detection:
- selection:
- EventID: 7
diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml
index 16cf006fd2e..c71eae33f11 100644
--- a/rules/windows/process_creation/win_spn_enum.yml
+++ b/rules/windows/process_creation/win_spn_enum.yml
@@ -15,11 +15,13 @@ logsource:
product: windows
detection:
selection_image:
- Image: '*\setspn.exe'
+ Image|endswith: '\setspn.exe'
selection_desc:
- Description: '*Query or reset the computer* SPN attribute*'
+ Description|contains|all:
+ - 'Query or reset the computer'
+ - 'SPN attribute'
cmd:
- CommandLine: '*-q*'
+ CommandLine|contains: '-q'
condition: (selection_image or selection_desc) and cmd
falsepositives:
- Administrator Activity
diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml
new file mode 100644
index 00000000000..328318d1c74
--- /dev/null
+++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml
@@ -0,0 +1,27 @@
+title: Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access
+id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
+description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
+references:
+ - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+ - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
+status: experimental
+date: 2020/18/02
+modified: 2021/06/11
+author: Sreeman
+tags:
+ - attack.t1015
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ CommandLine:
+ - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
+ condition: selection
+fields:
+ - CommandLine
+ - ParentProcess
+falsepositives:
+ - Unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index 503e79145fd..831fefe48f6 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -5,23 +5,28 @@ description: Detects the execution of a AdFind for Active Directory enumeration
references:
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
-author: FPT.EagleEye Team
+ - https://thedfirreport.com/2020/05/08/adfind-recon/
+author: FPT.EagleEye Team, omkar72, oscd.community
date: 2020/09/26
+modified: 2021/05/12
tags:
- attack.discovery
- - attack.t1016
- attack.t1018
+ - attack.t1087.002
- attack.t1482
- #- attack.t1069.002
- #- attack.t1087.002
+ - attack.t1069.002
logsource:
product: windows
- service: process_creation
+ category: process_creation
detection:
selection:
- ProcessCommandLine|contains: 'objectcategory'
- Image:
- - '*\adfind.exe'
+ CommandLine|contains:
+ - 'objectcategory'
+ - 'trustdmp'
+ - 'dcmodes'
+ - 'dclist'
+ - 'computers_pwdnotreqd'
+ Image|endswith: '\adfind.exe'
condition: selection
falsepositives:
- Administrative activity
diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml
new file mode 100644
index 00000000000..ac9584df303
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_atbroker.yml
@@ -0,0 +1,53 @@
+title: Suspicious Atbroker Execution
+id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+description: Atbroker executing non-deafualt Assistive Technology applications
+references:
+ - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
+status: experimental
+author: Mateusz Wydra, oscd.community
+date: 2020/10/12
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ - Image|endswith: 'AtBroker.exe'
+ selection2:
+ - CommandLine|contains: 'start'
+ filter:
+ - CommandLine|contains:
+ - animations
+ - audiodescription
+ - caretbrowsing
+ - caretwidth
+ - colorfiltering
+ - cursorscheme
+ - filterkeys
+ - focusborderheight
+ - focusborderwidth
+ - highcontrast
+ - keyboardcues
+ - keyboardpref
+ - magnifierpane
+ - messageduration
+ - minimumhitradius
+ - mousekeys
+ - Narrator
+ - osk
+ - overlappedcontent
+ - showsounds
+ - soundsentry
+ - stickykeys
+ - togglekeys
+ - windowarranging
+ - windowtracking
+ - windowtrackingtimeout
+ - windowtrackingzorder
+ condition: selection1 and selection2 and not filter
+falsepositives:
+ - Legitimate, non-default assistive technology applications execution
+level: high
diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml
index a852aa98f12..b6c58093481 100644
--- a/rules/windows/process_creation/win_susp_bcdedit.yml
+++ b/rules/windows/process_creation/win_susp_bcdedit.yml
@@ -4,8 +4,10 @@ status: experimental
description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
references:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
+ - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019/02/07
+modified: 2021/06/18
tags:
- attack.defense_evasion
- attack.t1070
@@ -17,10 +19,12 @@ logsource:
product: windows
detection:
selection:
- Image: '*\bcdedit.exe'
- CommandLine:
- - '*delete*'
- - '*deletevalue*'
- - '*import*'
+ Image|endswith: '\bcdedit.exe'
+ CommandLine|contains:
+ - 'delete'
+ - 'deletevalue'
+ - 'import'
+ - 'safeboot'
+ - 'network'
condition: selection
level: medium
diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml
index 01bc71137bf..b0e6ec94bb3 100644
--- a/rules/windows/process_creation/win_susp_calc.yml
+++ b/rules/windows/process_creation/win_susp_calc.yml
@@ -14,11 +14,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*\calc.exe *'
+ CommandLine|contains: '\calc.exe '
selection2:
- Image: '*\calc.exe'
+ Image|endswith: '\calc.exe'
filter2:
- Image: '*\Windows\Sys*'
+ Image|contains: '\Windows\Sys'
condition: selection1 or ( selection2 and not filter2 )
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml
index 03d13f66930..b643eb4fc1b 100644
--- a/rules/windows/process_creation/win_susp_certutil_command.yml
+++ b/rules/windows/process_creation/win_susp_certutil_command.yml
@@ -5,11 +5,9 @@ description: Detects a suspicious Microsoft certutil execution with sub commands
the built-in certutil utility
author: Florian Roth, juju4, keepwatch
date: 2019/01/16
-modified: 2020/09/05
+modified: 2021/04/23
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- - https://twitter.com/subTee/status/888102593838362624
- - https://twitter.com/subTee/status/888071631528235010
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
@@ -18,23 +16,24 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- CommandLine:
- - '* -decode *'
- - '* /decode *'
- - '* -decodehex *'
- - '* /decodehex *'
- - '* -urlcache *'
- - '* /urlcache *'
- - '* -verifyctl *'
- - '* /verifyctl *'
- - '* -encode *'
- - '* /encode *'
- - '*certutil* -URL*'
- - '*certutil* /URL*'
- - '*certutil* -ping*'
- - '*certutil* /ping*'
- condition: selection
+ parameters:
+ CommandLine|contains:
+ - ' -decode '
+ - ' -decodehex '
+ - ' -urlcache '
+ - ' -verifyctl '
+ - ' -encode '
+ - ' /decode '
+ - ' /decodehex '
+ - ' /urlcache '
+ - ' /verifyctl '
+ - ' /encode '
+ certutil:
+ Image|endswith: '\certutil.exe'
+ CommandLine|contains:
+ - 'URL'
+ - 'ping'
+ condition: parameters or certutil
fields:
- CommandLine
- ParentCommandLine
@@ -49,7 +48,7 @@ tags:
- attack.g0045
- attack.g0049
- attack.g0075
- - attack.g0096
+ - attack.g0096
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml
index b0d187ed09a..3ab6f3319f1 100644
--- a/rules/windows/process_creation/win_susp_certutil_encode.yml
+++ b/rules/windows/process_creation/win_susp_certutil_encode.yml
@@ -5,9 +5,9 @@ description: Detects suspicious a certutil command that used to encode files, wh
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/02/24
-modified: 2020/09/05
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1027
@@ -16,11 +16,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - certutil -f -encode *
- - certutil.exe -f -encode *
- - certutil -encode -f *
- - certutil.exe -encode -f *
+ Image|endswith: '\certutil.exe'
+ CommandLine|contains|all:
+ - '-f'
+ - '-encode'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml
index 019d2fcf890..d0efa1072c1 100644
--- a/rules/windows/process_creation/win_susp_cli_escape.yml
+++ b/rules/windows/process_creation/win_susp_cli_escape.yml
@@ -19,10 +19,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
+ CommandLine|contains:
# - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries)
- - '*h^t^t^p*'
- - '*h"t"t"p*'
+ - 'h^t^t^p'
+ - 'h"t"t"p'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
index ddbf7dd1af4..93c3f436fdb 100644
--- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
+++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
@@ -5,9 +5,9 @@ description: Detects a suspicious command line execution that includes an URL an
references:
- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
-modified: 2020/09/05
+modified: 2020/11/20
tags:
- attack.execution
- attack.t1059.003
@@ -19,9 +19,11 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - cmd.exe /c *http://*%AppData%
- - cmd.exe /c *https://*%AppData%
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains|all:
+ - 'http' # captures both http and https
+ - '://'
+ - '%AppData%'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml
index 6b68d66dc66..09f0a78704c 100644
--- a/rules/windows/process_creation/win_susp_codepage_switch.yml
+++ b/rules/windows/process_creation/win_susp_codepage_switch.yml
@@ -2,8 +2,9 @@ title: Suspicious Code Page Switch
id: c7942406-33dd-4377-a564-0f62db0593a3
status: experimental
description: Detects a code page switch in command line or batch scripts to a rare language
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/10/14
+modified: 2020/11/28
references:
- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
- https://twitter.com/cglyer/status/1183756892952248325
@@ -12,13 +13,14 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - 'chcp* 936' # Chinese
- # - 'chcp* 1256' # Arabic
- - 'chcp* 1258' # Vietnamese
- # - 'chcp* 855' # Russian
- # - 'chcp* 866' # Russian
- # - 'chcp* 864' # Arabic
+ Image|endswith: '\chcp.com'
+ CommandLine|endswith:
+ - ' 936' # Chinese
+ # - ' 1256' # Arabic
+ - ' 1258' # Vietnamese
+ # - ' 855' # Russian
+ # - ' 866' # Russian
+ # - ' 864' # Arabic
condition: selection
fields:
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml
index 8810516abdd..1f1037f9563 100644
--- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml
+++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml
@@ -8,7 +8,7 @@ references:
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
author: Florian Roth, Markus Neis
date: 2018/08/22
-modified: 2018/12/11
+modified: 2020/11/28
tags:
- attack.discovery
- attack.t1087
@@ -19,24 +19,25 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
+ - CommandLine:
- tasklist
- net time
- systeminfo
- whoami
- nbtstat
- net start
- - '*\net1 start'
- qprocess
- nslookup
- hostname.exe
- - '*\net1 user /domain'
- - '*\net1 group /domain'
- - '*\net1 group "domain admins" /domain'
- - '*\net1 group "Exchange Trusted Subsystem" /domain'
- - '*\net1 accounts /domain'
- - '*\net1 user net localgroup administrators'
- - netstat -an
+ - 'netstat -an'
+ - CommandLine|endswith:
+ - '\net1 start'
+ - '\net1 user /domain'
+ - '\net1 group /domain'
+ - '\net1 group "domain admins" /domain'
+ - '\net1 group "Exchange Trusted Subsystem" /domain'
+ - '\net1 accounts /domain'
+ - '\net1 user net localgroup administrators'
timeframe: 15s
condition: selection | count() by CommandLine > 4
falsepositives:
diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml
index e4212245834..32655a9b0ec 100644
--- a/rules/windows/process_creation/win_susp_compression_params.yml
+++ b/rules/windows/process_creation/win_susp_compression_params.yml
@@ -22,15 +22,15 @@ detection:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
- CommandLine:
- - '* -p*'
- - '* -ta*'
- - '* -tb*'
- - '* -sdel*'
- - '* -dw*'
- - '* -hp*'
+ CommandLine|contains:
+ - ' -p'
+ - ' -ta'
+ - ' -tb'
+ - ' -sdel'
+ - ' -dw'
+ - ' -hp'
falsepositive:
- ParentImage: 'C:\Program*'
+ ParentImage|startswith: 'C:\Program'
condition: selection and not falsepositive
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
index 56832c75459..2879adff89a 100644
--- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
+++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
@@ -13,13 +13,14 @@ logsource:
product: windows
detection:
rundll_image:
- Image: '*\rundll32.exe'
+ Image|endswith: '\rundll32.exe'
rundll_ofn:
OriginalFileName: 'RUNDLL32.EXE'
selection:
- CommandLine:
- - '*comsvcs*MiniDump*full*'
- - '*comsvcs*MiniDumpW*full*'
+ CommandLine|contains|all:
+ - 'comsvcs'
+ - 'MiniDump' #Matches MiniDump and MinidumpW
+ - 'full'
condition: (rundll_image or rundll_ofn) and selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_conhost.yml b/rules/windows/process_creation/win_susp_conhost.yml
index 916dccb92d0..02592026a42 100644
--- a/rules/windows/process_creation/win_susp_conhost.yml
+++ b/rules/windows/process_creation/win_susp_conhost.yml
@@ -6,6 +6,7 @@ references:
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020/10/25
+modified: 2021/06/27
tags:
- attack.defense_evasion
- attack.t1202
@@ -14,7 +15,7 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\conhost.exe'
+ ParentImage|endswith: '\conhost.exe'
condition: selection
fields:
- Image
diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml
index 7d8927d8550..726bb7ce1a0 100644
--- a/rules/windows/process_creation/win_susp_control_dll_load.yml
+++ b/rules/windows/process_creation/win_susp_control_dll_load.yml
@@ -16,10 +16,10 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\System32\control.exe'
- CommandLine: '*\rundll32.exe *'
+ ParentImage|endswith: '\System32\control.exe'
+ Image|endswith: '\rundll32.exe '
filter:
- CommandLine: '*Shell32.dll*'
+ CommandLine|contains: 'Shell32.dll'
condition: selection and not filter
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
index 53841c57311..7041aa9dc8d 100644
--- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
+++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
@@ -1,28 +1,44 @@
title: Copy from Admin Share
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: experimental
-description: Detects a suspicious copy command from a remote C$ or ADMIN$ share
+description: Detects a suspicious copy command to or from an Admin share
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
-author: Florian Roth
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
date: 2019/12/30
-modified: 2020/09/05
+modified: 2020/11/28
tags:
- attack.lateral_movement
+ - attack.collection
+ - attack.exfiltration
+ - attack.t1039
+ - attack.t1105 # an old one
+ - attack.t1048
- attack.t1021.002
- - attack.command_and_control
- - attack.t1105
- - attack.s0106
- - attack.t1077 # an old one
logsource:
category: process_creation
product: windows
detection:
- selection:
+ selection1:
+ Image|endswith:
+ - '\robocopy.exe'
+ - '\xcopy.exe'
+ selection2:
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains: 'copy'
+ selection3:
+ Image|contains: '\powershell'
CommandLine|contains:
- - 'copy *\c$'
- - 'copy *\ADMIN$'
- condition: selection
+ - 'copy-item'
+ - 'copy'
+ - 'cpi '
+ - ' cp '
+ selection4:
+ CommandLine|contains|all:
+ - '\\\\'
+ - '$'
+ condition: (selection1 or selection2 or selection3) and selection4
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml
index 48de314d024..5a353545323 100644
--- a/rules/windows/process_creation/win_susp_copy_system32.yml
+++ b/rules/windows/process_creation/win_susp_copy_system32.yml
@@ -16,8 +16,10 @@ tags:
detection:
selection:
CommandLine|contains:
- - ' /c copy *\System32\'
- - 'xcopy*\System32\'
+ - ' /c copy'
+ - 'xcopy'
+ CommandLine|contains|all:
+ - '\System32\'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml
index d2440ff5c8f..0c323f1e70c 100644
--- a/rules/windows/process_creation/win_susp_covenant.yml
+++ b/rules/windows/process_creation/win_susp_covenant.yml
@@ -4,7 +4,7 @@ description: Detects suspicious command lines used in Covenant luanchers
status: experimental
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2020/06/04
tags:
- attack.execution
@@ -17,12 +17,19 @@ logsource:
product: windows
detection:
selection:
+ CommandLine|contains|all:
+ - '-Sta'
+ - '-Nop'
+ - '-Window'
+ - 'Hidden'
+ CommandLine|contains:
+ - '-Command'
+ - '-EncodedCommand'
+ selection2:
CommandLine|contains:
- - ' -Sta -Nop -Window Hidden -Command '
- - ' -Sta -Nop -Window Hidden -EncodedCommand '
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
- condition: selection
+ condition: selection or selection2
level: high
diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
index b72016d4921..9a5f1afb3fe 100644
--- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
+++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
@@ -1,6 +1,6 @@
title: CrackMapExec Command Execution
id: 058f4380-962d-40a5-afce-50207d36d7e2
-status: experimental
+status: stable
description: Detect various execution methods of the CrackMapExec pentesting framework
references:
- https://github.com/byt3bl33d3r/CrackMapExec
@@ -8,7 +8,7 @@ tags:
- attack.execution
- attack.t1047
- attack.t1053
- - attack.t1059.003
+ - attack.t1059.003
- attack.t1059.001
- attack.s0106
- attack.t1086 # an old one
@@ -19,17 +19,18 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
+ CommandLine|endswith:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
+ - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- - '*cmd.exe /C * > \\\\*\\*\\* 2>&1'
+ - 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- - '*cmd.exe /C * > *\\Temp\\* 2>&1'
+ - 'cmd.exe /C * > *\\Temp\\* 2>&1'
+ CommandLine|contains:
# cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
- - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+ - 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
- - '*powershell.exe -noni -nop -w 1 -enc *'
+ - 'powershell.exe -noni -nop -w 1 -enc '
condition: selection
fields:
- ComputerName
diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml
index 0d0c867a243..28f543963c7 100644
--- a/rules/windows/process_creation/win_susp_csc.yml
+++ b/rules/windows/process_creation/win_susp_csc.yml
@@ -6,7 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1094924091256176641
author: Florian Roth
date: 2019/02/11
-modified: 2020/09/05
+modified: 2020/11/28
tags:
- attack.execution
- attack.t1059.005
@@ -20,11 +20,11 @@ logsource:
product: windows
detection:
selection:
- Image: '*\csc.exe*'
- ParentImage:
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\mshta.exe'
+ Image|endswith: '\csc.exe'
+ ParentImage|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\mshta.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml
index f6ba760be8b..ceff85403bf 100644
--- a/rules/windows/process_creation/win_susp_csc_folder.yml
+++ b/rules/windows/process_creation/win_susp_csc_folder.yml
@@ -19,19 +19,18 @@ logsource:
product: windows
detection:
selection:
- Image: '*\csc.exe'
- CommandLine:
- - '*\AppData\\*'
- - '*\Windows\Temp\\*'
- filter1:
- ParentImage:
- - 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897
- - '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
- - '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
- filter2:
- ParentCommandLine|contains:
+ Image|endswith: '\csc.exe'
+ CommandLine|contains:
+ - '\AppData\'
+ - '\Windows\Temp\'
+ filter:
+ - ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897
+ - ParentImage|endswith:
+ - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
+ - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
+ - ParentCommandLine|contains:
- '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
- condition: selection and not filter1 and not filter2
+ condition: selection and not filter
falsepositives:
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://twitter.com/gabriele_pippi/status/1206907900268072962
diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml
new file mode 100644
index 00000000000..ee19fca9044
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_csi.yml
@@ -0,0 +1,38 @@
+title: Suspicious Csi.exe Usage
+id: 40b95d31-1afc-469e-8d34-9a3a667d058e
+description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
+status: experimental
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/17
+modified: 2021/05/11
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml
+ - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+ - https://twitter.com/Z3Jpa29z/status/1317545798981324801
+tags:
+ - attack.execution
+ - attack.t1072
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ basic:
+ - Image|endswith: '\csi.exe'
+ - Image|endswith: '\rcsi.exe'
+ renamed:
+ - OriginalFileName: 'csi.exe'
+ - OriginalFileName: 'rcsi.exe'
+ selection:
+ Company: 'Microsoft Corporation'
+ condition: (basic or renamed) and selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Legitimate usage by software developers
+level: medium
diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml
index 57092fbb0ca..94584f79550 100644
--- a/rules/windows/process_creation/win_susp_curl_start_combo.yml
+++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml
@@ -18,7 +18,9 @@ logsource:
detection:
condition: selection
selection:
- CommandLine|contains: 'curl* start '
+ CommandLine|contains|all:
+ - 'curl'
+ - ' start '
falsepositives:
- Administrative scripts (installers)
fields:
diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
index 2737be5c00e..810f8be987d 100644
--- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
+++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
@@ -16,7 +16,7 @@ logsource:
product: windows
detection:
selection_1:
- Image|endswith: '*\reg.exe'
+ Image|endswith: '\reg.exe'
CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
selection_2:
CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
diff --git a/rules/windows/process_creation/win_susp_disable_eventlog.yml b/rules/windows/process_creation/win_susp_disable_eventlog.yml
index 8aab5e413b8..edbdd25fb40 100644
--- a/rules/windows/process_creation/win_susp_disable_eventlog.yml
+++ b/rules/windows/process_creation/win_susp_disable_eventlog.yml
@@ -1,21 +1,32 @@
-title: Disable Windows Eventlog
+title: Disable or Delete Windows Eventlog
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: experimental
-description: Detects command that is used to disable Windows eventlog
+description: Detects command that is used to disable or delete Windows eventlog via logman Windows utility
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
+ - https://ss64.com/nt/logman.html
tags:
- attack.defense_evasion
- attack.t1562.001
+ - attack.t1070.001
author: Florian Roth
date: 2021/02/11
+modified: 2021/06/21
logsource:
category: process_creation
product: windows
detection:
- selection:
- CommandLine|contains: 'logman stop EventLog-System'
- condition: selection
+ selection_tools:
+ CommandLine|contains:
+ - 'logman '
+ selection_action:
+ CommandLine|contains:
+ - 'stop '
+ - 'delete '
+ selection_service:
+ CommandLine|contains:
+ - EventLog-System
+ condition: all of them
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
diff --git a/rules/windows/process_creation/win_susp_disable_raccine.yml b/rules/windows/process_creation/win_susp_disable_raccine.yml
index 126cfd04021..b93f381d3cc 100644
--- a/rules/windows/process_creation/win_susp_disable_raccine.yml
+++ b/rules/windows/process_creation/win_susp_disable_raccine.yml
@@ -16,7 +16,7 @@ detection:
selection1:
CommandLine|contains|all:
- 'taskkill '
- - '/IM RaccineSettings.exe'
+ - '/IM RaccineSettings.exe'
selection2:
CommandLine|contains|all:
- 'reg.exe'
diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml
new file mode 100644
index 00000000000..6c57237edb5
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_diskshadow.yml
@@ -0,0 +1,27 @@
+title: Execution via Diskshadow.exe
+id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2
+status: experimental
+description: Detects using Diskshadow.exe to execute arbitrary code in text file
+references:
+ - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+tags:
+ - attack.execution
+ - attack.t1218
+author: Ivan Dyachkov, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+ definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events'
+detection:
+ selection:
+ Image|endswith: '\diskshadow.exe'
+ CommandLine|contains:
+ - '/s'
+ - '-s'
+ condition: selection
+fields:
+ - CommandLine
+falsepositives:
+ - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts.
+level: high
diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml
index 3c06ded4100..0bd70927f25 100644
--- a/rules/windows/process_creation/win_susp_double_extension.yml
+++ b/rules/windows/process_creation/win_susp_double_extension.yml
@@ -15,18 +15,18 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*.doc.exe'
- - '*.docx.exe'
- - '*.xls.exe'
- - '*.xlsx.exe'
- - '*.ppt.exe'
- - '*.pptx.exe'
- - '*.rtf.exe'
- - '*.pdf.exe'
- - '*.txt.exe'
- - '* .exe'
- - '*______.exe'
+ Image|endswith:
+ - '.doc.exe'
+ - '.docx.exe'
+ - '.xls.exe'
+ - '.xlsx.exe'
+ - '.ppt.exe'
+ - '.pptx.exe'
+ - '.rtf.exe'
+ - '.pdf.exe'
+ - '.txt.exe'
+ - ' .exe'
+ - '______.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml
deleted file mode 100644
index f42c4c82d53..00000000000
--- a/rules/windows/process_creation/win_susp_exec_folder.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Executables Started in Suspicious Folder
-id: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254
-status: experimental
-description: Detects process starts of binaries from a suspicious folder
-author: Florian Roth
-date: 2017/10/14
-modified: 2019/02/21
-references:
- - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
- - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
-tags:
- - attack.defense_evasion
- - attack.t1036
-logsource:
- category: process_creation
- product: windows
-detection:
- selection:
- Image:
- - C:\PerfLogs\\*
- - C:\$Recycle.bin\\*
- - C:\Intel\Logs\\*
- - C:\Users\Default\\*
- - C:\Users\Public\\*
- - C:\Users\NetworkService\\*
- - C:\Windows\Fonts\\*
- - C:\Windows\Debug\\*
- - C:\Windows\Media\\*
- - C:\Windows\Help\\*
- - C:\Windows\addins\\*
- - C:\Windows\repair\\*
- - C:\Windows\security\\*
- - '*\RSA\MachineKeys\\*'
- - C:\Windows\system32\config\systemprofile\\*
- - C:\Windows\Tasks\\*
- - C:\Windows\System32\Tasks\\*
- condition: selection
-falsepositives:
- - Unknown
-level: high
diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml
index 69c3fa09e55..ed571e472f1 100644
--- a/rules/windows/process_creation/win_susp_execution_path.yml
+++ b/rules/windows/process_creation/win_susp_execution_path.yml
@@ -1,9 +1,15 @@
-title: Execution in Non-Executable Folder
+title: Execution from Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: experimental
description: Detects a suspicious execution from an uncommon folder
author: Florian Roth
date: 2019/01/16
+modified: 2021/03/31
+references:
+ - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
+ - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
+ - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+ - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
tags:
- attack.defense_evasion
- attack.t1036
@@ -12,16 +18,27 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\$Recycle.bin'
- - '*\Users\All Users\\*'
- - '*\Users\Default\\*'
- - '*\Users\Public\\*'
- - 'C:\Perflogs\\*'
- - '*\config\systemprofile\\*'
- - '*\Windows\Fonts\\*'
- - '*\Windows\IME\\*'
- - '*\Windows\addins\\*'
+ - Image|contains:
+ - '\$Recycle.bin\'
+ - '\config\systemprofile\'
+ - '\Intel\Logs\'
+ - '\RSA\MachineKeys\'
+ - '\Users\All Users\'
+ - '\Users\Default\'
+ - '\Users\NetworkService\'
+ - '\Users\Public\'
+ - '\Windows\addins\'
+ - '\Windows\debug\'
+ - '\Windows\Fonts\'
+ - '\Windows\Help\'
+ - '\Windows\IME\'
+ - '\Windows\Media\'
+ - '\Windows\repair\'
+ - '\Windows\security\'
+ - '\Windows\system32\config\systemprofile\'
+ - '\Windows\System32\Tasks\'
+ - '\Windows\Tasks\'
+ - Image|startswith: 'C:\Perflogs\'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
index bdc9cf05fcc..f1ab6a6e341 100644
--- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml
+++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
@@ -13,17 +13,17 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\wwwroot\\*'
- - '*\wmpub\\*'
- - '*\htdocs\\*'
+ Image|contains:
+ - '\wwwroot\'
+ - '\wmpub\'
+ - '\htdocs\'
filter:
- Image:
- - '*bin\\*'
- - '*\Tools\\*'
- - '*\SMSComponent\\*'
- ParentImage:
- - '*\services.exe'
+ Image|contains:
+ - 'bin\'
+ - '\Tools\'
+ - '\SMSComponent\'
+ ParentImage|endswith:
+ - '\services.exe'
condition: selection and not filter
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml
new file mode 100644
index 00000000000..6d6d8538859
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_explorer.yml
@@ -0,0 +1,26 @@
+title: Proxy Execution Via Explorer.exe
+id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
+description: Attackers can use explorer.exe for evading defense mechanisms
+author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
+status: experimental
+date: 2020/10/05
+references:
+ - https://twitter.com/CyberRaiju/status/1273597319322058752
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - \explorer.exe
+ ParentImage|endswith:
+ - \cmd.exe
+ CommandLine|contains:
+ - explorer.exe
+ condition: selection
+falsepositives:
+ - Legitimate explorer.exe run from cmd.exe
+level: low
diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml
index 81b8fed8295..7bfd6a1599f 100644
--- a/rules/windows/process_creation/win_susp_file_characteristics.yml
+++ b/rules/windows/process_creation/win_susp_file_characteristics.yml
@@ -7,7 +7,7 @@ references:
- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis, Sander Wiebing
date: 2018/11/22
-modified: 2020/05/26
+modified: 2021/06/27
tags:
- attack.execution
- attack.t1059.006
@@ -27,7 +27,7 @@ detection:
Description: '\?'
Company: '\?'
folder:
- Image: '*\Downloads\\*'
+ Image|contains: '\Downloads\'
condition: (selection1 or selection2 or selection3) and folder
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
new file mode 100644
index 00000000000..63ffa1398a5
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -0,0 +1,27 @@
+title: GfxDownloadWrapper.exe Downloads File from Suspicious URL
+id: eee00933-a761-4cd0-be70-c42fe91731e7
+status: experimental
+description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\GfxDownloadWrapper.exe'
+ cmd_known_url:
+ CommandLine|contains: 'gameplayapi.intel.com'
+ same_parent:
+ ParentImage|endswith: '\GfxDownloadWrapper.exe'
+ condition: image_path and not cmd_known_url and not same_parent
+fields:
+ - CommandLine
+falsepositives:
+ - Unknown
+level: medium
+tags:
+ - attack.command_and_control
+ - attack.t1105
diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml
new file mode 100644
index 00000000000..1a5a5803785
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_findstr.yml
@@ -0,0 +1,32 @@
+title: Abusing Findstr for Defense Evasion
+id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
+description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
+author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
+status: experimental
+date: 2020/10/05
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml
+ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selectionFindstr:
+ CommandLine|contains:
+ - findstr
+ selection_V_L:
+ CommandLine|contains|all:
+ - /V
+ - /L
+ selection_S_I:
+ CommandLine|contains|all:
+ - /S
+ - /I
+ condition: selectionFindstr and (selection_V_L or selection_S_I)
+falsepositives:
+ - Administrative findstr usage
+level: medium
diff --git a/rules/windows/process_creation/win_susp_findstr_lnk.yml b/rules/windows/process_creation/win_susp_findstr_lnk.yml
index fd192eac265..2c9f39874ef 100644
--- a/rules/windows/process_creation/win_susp_findstr_lnk.yml
+++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml
@@ -17,8 +17,8 @@ logsource:
product: windows
detection:
selection:
- Image: '*\findstr.exe'
- CommandLine: '*.lnk'
+ Image|endswith: '\findstr.exe'
+ CommandLine|endswith: '.lnk'
condition: selection
fields:
- Image
diff --git a/rules/windows/process_creation/win_susp_finger_usage.yml b/rules/windows/process_creation/win_susp_finger_usage.yml
index 0290955b0fd..87fd5ff3085 100644
--- a/rules/windows/process_creation/win_susp_finger_usage.yml
+++ b/rules/windows/process_creation/win_susp_finger_usage.yml
@@ -1,11 +1,12 @@
title: Finger.exe Suspicious Invocation
id: af491bca-e752-4b44-9c86-df5680533dbc
description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays
-author: Florian Roth
+author: Florian Roth, omkar72, oscd.community
date: 2021/02/24
references:
- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
+ - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
tags:
- attack.command_and_control
- attack.t1105
diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml
new file mode 100644
index 00000000000..7572cf22be0
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_ftp.yml
@@ -0,0 +1,32 @@
+title: Suspicious ftp.exe
+id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
+status: experimental
+description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ ftp_path:
+ Image|endswith: 'ftp.exe'
+ ftp_metadata:
+ OriginalFileName|contains: 'ftp.exe'
+ cmd_with_script_modifier:
+ CommandLine|contains: '-s:'
+ parent_path:
+ ParentImage|endswith: 'ftp.exe'
+ condition: (ftp_path and cmd_with_script_modifier) or (ftp_metadata and cmd_with_script_modifier) or (ftp_metadata and not ftp_path) or parent_path
+fields:
+ - CommandLine
+ - ParentImage
+tags:
+ - attack.execution
+ - attack.t1059
+ - attack.defense_evasion
+ - attack.t1202
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml
index 19acad19251..a6d7d8e3f07 100644
--- a/rules/windows/process_creation/win_susp_gup.yml
+++ b/rules/windows/process_creation/win_susp_gup.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image: '*\GUP.exe'
+ Image|endswith: '\GUP.exe'
filter:
Image|endswith:
- - ':\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'
- - ':\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'
- - ':\Program Files\Notepad++\updater\GUP.exe'
- - ':\Program Files (x86)\Notepad++\updater\GUP.exe'
+ - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'
+ - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'
+ - '\Program Files\Notepad++\updater\GUP.exe'
+ - '\Program Files (x86)\Notepad++\updater\GUP.exe'
condition: selection and not filter
falsepositives:
- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml
index 28305f82e08..269e1851853 100644
--- a/rules/windows/process_creation/win_susp_iss_module_install.yml
+++ b/rules/windows/process_creation/win_susp_iss_module_install.yml
@@ -6,6 +6,7 @@ references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
author: Florian Roth
date: 2012/12/11
+modified: 2020/11/28
tags:
- attack.persistence
- attack.t1505.003
@@ -15,8 +16,11 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\APPCMD.EXE install module /name:*'
+ Image|endswith: '\appcmd.exe'
+ CommandLine|contains|all:
+ - 'install'
+ - 'module'
+ - '/name:'
condition: selection
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml
new file mode 100644
index 00000000000..e609f086ebe
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml
@@ -0,0 +1,25 @@
+title: Mounted Share Deleted
+id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
+status: experimental
+description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/08
+tags:
+ - attack.defense_evasion
+ - attack.t1070.005
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\net.exe'
+ Image|endswith: '\net1.exe'
+ CommandLine|contains|all:
+ - 'share'
+ - '/delete'
+ condition: selection
+falsepositives:
+ - Administrators or Power users may remove their shares via cmd line
+level: low
diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml
index 099b8fbd8f0..a22a717cd08 100644
--- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml
+++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml
@@ -15,12 +15,12 @@ logsource:
product: windows
detection:
selection:
- Image: '*\msiexec.exe'
+ Image|endswith: '\msiexec.exe'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\WinSxS\\*'
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml
index 594d5ce32ca..3fbb4ca6398 100644
--- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml
+++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml
@@ -11,14 +11,15 @@ tags:
- attack.t1105
author: Florian Roth
date: 2018/02/09
-modified: 2020/08/30
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '* msiexec*://*'
+ CommandLine|contains|all:
+ - ' msiexec'
+ - '://'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml
index a4c3a771125..5773c4244c0 100644
--- a/rules/windows/process_creation/win_susp_net_execution.yml
+++ b/rules/windows/process_creation/win_susp_net_execution.yml
@@ -9,7 +9,7 @@ references:
- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
date: 2019/01/16
-modified: 2020/08/30
+modified: 2020/11/28
tags:
- attack.discovery
- attack.t1049
@@ -29,19 +29,18 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\net.exe'
- - '*\net1.exe'
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
cmdline:
- CommandLine:
- - '* group*'
- - '* localgroup*'
- - '* user*'
- - '* view*'
- - '* share'
- - '* accounts*'
- - '* use*'
- - '* stop *'
+ CommandLine|contains:
+ - ' group'
+ - ' localgroup'
+ - ' user'
+ - ' view'
+ - ' share'
+ - ' accounts'
+ - ' stop '
condition: selection and cmdline
fields:
- ComputerName
diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml
new file mode 100644
index 00000000000..285ccec90ca
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml
@@ -0,0 +1,45 @@
+title: Ngrok Usage
+id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
+description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
+status: experimental
+references:
+ - https://ngrok.com/docs
+ - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+ - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
+ - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
+ - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/.
+author: Florian Roth
+date: 2021/05/14
+modified: 2021/06/07
+tags:
+ - attack.command_and_control
+ - attack.t1572
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains:
+ - ' tcp 139'
+ - ' tcp 445'
+ - ' tcp 3389'
+ - ' tcp 5985'
+ - ' tcp 5986'
+ selection2:
+ CommandLine|contains|all:
+ - ' start '
+ - '--all'
+ - '--config'
+ - '.yml'
+ selection3:
+ Image|endswith:
+ - 'ngrok.exe'
+ CommandLine|contains:
+ - ' tcp '
+ - ' http '
+ - ' authtoken '
+ condition: 1 of them
+falsepositives:
+ - Another tool that uses the command line switches of Ngrok
+ - ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
+level: high
diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml
index 979a092130b..45e867f7597 100644
--- a/rules/windows/process_creation/win_susp_ntdsutil.yml
+++ b/rules/windows/process_creation/win_susp_ntdsutil.yml
@@ -6,17 +6,18 @@ references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019/01/16
+modified: 2020/11/28
tags:
- attack.credential_access
- attack.t1003.003
- - attack.t1003 # an old one
+ - attack.t1003 # an old one
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine: '*\ntdsutil*'
+ Image|endswith: '\ntdsutil.exe'
condition: selection
falsepositives:
- NTDS maintenance
-level: high
+level: medium
diff --git a/rules/windows/process_creation/win_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml
index c4522016649..4401ff162c2 100644
--- a/rules/windows/process_creation/win_susp_outlook.yml
+++ b/rules/windows/process_creation/win_susp_outlook.yml
@@ -11,15 +11,19 @@ tags:
- attack.t1202
author: Markus Neis
date: 2018/12/27
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
clientMailRules:
- CommandLine: '*EnableUnsafeClientMailRules*'
+ CommandLine|contains: 'EnableUnsafeClientMailRules'
outlookExec:
- ParentImage: '*\outlook.exe'
- CommandLine: \\\\*\\*.exe
+ ParentImage|endswith: '\outlook.exe'
+ CommandLine|contains|all:
+ - '\\\\'
+ - '\\'
+ - '.exe'
condition: clientMailRules or outlookExec
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml
index 25e0f2d62c8..2059eb01aa0 100644
--- a/rules/windows/process_creation/win_susp_outlook_temp.yml
+++ b/rules/windows/process_creation/win_susp_outlook_temp.yml
@@ -4,6 +4,7 @@ status: experimental
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth
date: 2019/10/01
+modified: 2021/06/27
tags:
- attack.initial_access
- attack.t1566.001
@@ -13,7 +14,7 @@ logsource:
product: windows
detection:
selection:
- Image: '*\Temporary Internet Files\Content.Outlook\\*'
+ Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml
new file mode 100644
index 00000000000..a3f3ddd23d3
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_pcwutl.yml
@@ -0,0 +1,27 @@
+title: Code Execution via Pcwutl.dll
+id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
+description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
+status: experimental
+references:
+ - https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md
+ - https://twitter.com/harr0ey/status/989617817849876488
+author: Julia Fomina, oscd.community
+date: 2020/10/05
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
+ - attack.execution # an old one
+ - attack.t1218 # an old one
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\rundll32.exe'
+ CommandLine|contains|all:
+ - 'pcwutl'
+ - 'LaunchApplication'
+ condition: selection
+level: medium
+falsepositives:
+ - Use of Program Compatibility Troubleshooter Helper
diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml
new file mode 100644
index 00000000000..a549111f671
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_pester.yml
@@ -0,0 +1,35 @@
+title: Execute Code with Pester.bat
+id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
+description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
+status: experimental
+references:
+ - https://twitter.com/Oddvarmoe/status/993383596244258816
+author: Julia Fomina, oscd.community
+date: 2020/10/08
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ powershell_module:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'Pester'
+ - 'Get-Help'
+ cmd_execution:
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains|all:
+ - 'pester'
+ - ';'
+ get_help:
+ CommandLine|contains:
+ - 'help'
+ - '?'
+ condition: powershell_module or (cmd_execution and get_help)
+level: medium
+falsepositives:
+ - Legitimate use of Pester for writing tests for Powershell scripts and modules
diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml
index 91c49cbefc9..9d9cf28628c 100644
--- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml
+++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml
@@ -6,7 +6,7 @@ references:
- https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth
date: 2018/03/23
-modified: 2020/10/16
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1140
@@ -16,11 +16,8 @@ logsource:
product: windows
detection:
selection:
- CommandLine|contains:
- - '\ping.exe 0x'
- - '\ping 0x'
- Image|contains:
- - 'ping.exe'
+ Image|endswith: '\ping.exe'
+ CommandLine|contains: '0x'
condition: selection
fields:
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
index de818f0f271..f54f9fc6d6a 100644
--- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
+++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
@@ -12,9 +12,9 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*'
- - '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*'
+ CommandLine|contains:
+ - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)'
+ - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
index a384047e86b..760907af5a4 100644
--- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -4,9 +4,9 @@ description: Detects suspicious powershell process starts with base64 encoded co
status: experimental
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
-author: Florian Roth, Markus Neis
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
date: 2018/09/03
-modified: 2020/10/20
+modified: 2021/03/02
tags:
- attack.execution
- attack.t1059.001
@@ -16,32 +16,30 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -en JAB*'
- - '* -enc JAB*'
- - '* -enc* JAB*'
- - '* -w hidden -e* JAB*'
- - '* BA^J e-'
- - '* -e SUVYI*'
- - '* -e aWV4I*'
- - '* -e SQBFAFgA*'
- - '* -e aQBlAHgA*'
- - '* -enc SUVYI*'
- - '* -enc aWV4I*'
- - '* -enc SQBFAFgA*'
- - '* -enc aQBlAHgA*'
- - '* -e* IAA*'
- - '* -e* IAB*'
- - '* -e* UwB*'
- - '* -e* cwB*'
- - '*.exe -ENCOD *'
+ CommandLine|contains: ' -e' # covers -en and -enc
+ selection2:
+ CommandLine|contains: ' JAB'
+ selection3:
+ CommandLine|contains|all:
+ - ' -w'
+ - ' hidden '
+ selection4:
+ CommandLine|contains:
+ - ' BA^J'
+ - ' SUVYI'
+ - ' SQBFAFgA'
+ - ' aQBlAHgA'
+ - ' aWV4I'
+ - ' IAA'
+ - ' IAB'
+ - ' UwB'
+ - ' cwB'
+ selection5:
+ CommandLine|contains:
+ - '.exe -ENCOD '
falsepositive1:
- CommandLine: '* -ExecutionPolicy remotesigned *'
- condition: selection and not falsepositive1
+ CommandLine|contains|all:
+ - ' -ExecutionPolicy'
+ - 'remotesigned '
+ condition: ((selection and selection2) or (selection and selection2 and selection3) or (selection and selection4) or selection5) and not falsepositive1
level: high
diff --git a/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml
new file mode 100644
index 00000000000..bffd87a3639
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml
@@ -0,0 +1,22 @@
+title: PowerShell Get-Process LSASS
+id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
+description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
+status: experimental
+references:
+ - https://twitter.com/PythonResponder/status/1385064506049630211
+author: Florian Roth
+date: 2021/04/23
+tags:
+ - attack.credential_access
+ - attack.t1552.004
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains:
+ - 'Get-Process lsass'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
index d004c1e13a3..68771de9d96 100644
--- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
@@ -15,58 +15,58 @@ logsource:
product: windows
detection:
encoded:
- Image: '*\powershell.exe'
- CommandLine: '* hidden *'
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains: ' hidden '
selection:
- CommandLine:
- - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
- - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
- - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
- - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
- - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
- - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
- - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
- - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
- - '*JGNodW5rX3Npem*'
- - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
- - '*RjaHVua19zaXpl*'
- - '*Y2h1bmtfc2l6Z*'
- - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
- - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
- - '*lPLkNvbXByZXNzaW9u*'
- - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
- - '*SU8uQ29tcHJlc3Npb2*'
- - '*Ty5Db21wcmVzc2lvb*'
- - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
- - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
- - '*lPLk1lbW9yeVN0cmVhb*'
- - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
- - '*SU8uTWVtb3J5U3RyZWFt*'
- - '*Ty5NZW1vcnlTdHJlYW*'
- - '*4ARwBlAHQAQwBoAHUAbgBrA*'
- - '*5HZXRDaHVua*'
- - '*AEcAZQB0AEMAaAB1AG4Aaw*'
- - '*LgBHAGUAdABDAGgAdQBuAGsA*'
- - '*LkdldENodW5r*'
- - '*R2V0Q2h1bm*'
- - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
- - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
- - '*RIUkVBRF9JTkZPNj*'
- - '*SFJFQURfSU5GTzY0*'
- - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
- - '*VEhSRUFEX0lORk82N*'
- - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
- - '*cmVhdGVSZW1vdGVUaHJlYW*'
- - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
- - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
- - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
- - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
- - '*0AZQBtAG0AbwB2AGUA*'
- - '*1lbW1vdm*'
- - '*AGUAbQBtAG8AdgBlA*'
- - '*bQBlAG0AbQBvAHYAZQ*'
- - '*bWVtbW92Z*'
- - '*ZW1tb3Zl*'
+ CommandLine|contains:
+ - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
+ - 'aXRzYWRtaW4gL3RyYW5zZmVy'
+ - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
+ - 'JpdHNhZG1pbiAvdHJhbnNmZX'
+ - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
+ - 'Yml0c2FkbWluIC90cmFuc2Zlc'
+ - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
+ - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
+ - 'JGNodW5rX3Npem'
+ - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
+ - 'RjaHVua19zaXpl'
+ - 'Y2h1bmtfc2l6Z'
+ - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
+ - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
+ - 'lPLkNvbXByZXNzaW9u'
+ - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
+ - 'SU8uQ29tcHJlc3Npb2'
+ - 'Ty5Db21wcmVzc2lvb'
+ - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
+ - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
+ - 'lPLk1lbW9yeVN0cmVhb'
+ - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
+ - 'SU8uTWVtb3J5U3RyZWFt'
+ - 'Ty5NZW1vcnlTdHJlYW'
+ - '4ARwBlAHQAQwBoAHUAbgBrA'
+ - '5HZXRDaHVua'
+ - 'AEcAZQB0AEMAaAB1AG4Aaw'
+ - 'LgBHAGUAdABDAGgAdQBuAGsA'
+ - 'LkdldENodW5r'
+ - 'R2V0Q2h1bm'
+ - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
+ - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
+ - 'RIUkVBRF9JTkZPNj'
+ - 'SFJFQURfSU5GTzY0'
+ - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
+ - 'VEhSRUFEX0lORk82N'
+ - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
+ - 'cmVhdGVSZW1vdGVUaHJlYW'
+ - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
+ - 'NyZWF0ZVJlbW90ZVRocmVhZ'
+ - 'Q3JlYXRlUmVtb3RlVGhyZWFk'
+ - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
+ - '0AZQBtAG0AbwB2AGUA'
+ - '1lbW1vdm'
+ - 'AGUAbQBtAG8AdgBlA'
+ - 'bQBlAG0AbQBvAHYAZQ'
+ - 'bWVtbW92Z'
+ - 'ZW1tb3Zl'
condition: encoded and selection
falsepositives:
- Penetration tests
diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
index 7ddebda0018..d135cc636d6 100644
--- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
+++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
@@ -4,6 +4,7 @@ status: experimental
description: Detects suspicious powershell invocations from interpreters or unusual programs
author: Florian Roth
date: 2019/01/16
+modified: 2020/11/28
references:
- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
tags:
@@ -15,13 +16,12 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\wscript.exe'
- - '*\cscript.exe'
- Image:
- - '*\powershell.exe'
+ ParentImage|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ Image|endswith: '\powershell.exe'
falsepositive:
- CurrentDirectory: '*\Health Service State\\*'
+ CurrentDirectory|contains: '\Health Service State\'
condition: selection and not falsepositive
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml
new file mode 100644
index 00000000000..bc3ddc59e5d
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_print.yml
@@ -0,0 +1,34 @@
+title: Abusing Print Executable
+id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
+description: Attackers can use print.exe for remote file copy
+author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
+status: experimental
+date: 2020/10/05
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml
+ - https://twitter.com/Oddvarmoe/status/985518877076541440
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith:
+ - \print.exe
+ CommandLine|startswith:
+ - print
+ selection2:
+ CommandLine|contains:
+ - /D
+ exeCondition:
+ CommandLine|contains:
+ - .exe
+ cmdExclude:
+ CommandLine|contains:
+ - print.exe
+ condition: selection1 and selection2 and exeCondition and not cmdExclude
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml
index 30676b8de47..299ed2930ed 100644
--- a/rules/windows/process_creation/win_susp_procdump_lsass.yml
+++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml
@@ -19,14 +19,13 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '* -ma *'
+ CommandLine|contains: ' -ma '
selection2:
- CommandLine:
- - '* lsass*'
+ CommandLine|contains: ' lsass'
selection3:
- CommandLine:
- - '* -ma ls*'
+ CommandLine|contains|all:
+ - ' -ma '
+ - ' ls'
condition: ( selection1 and selection2 ) or selection3
falsepositives:
- Unlikely, because no one should dump an lsass process memory
diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
new file mode 100644
index 00000000000..d52158f8562
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
@@ -0,0 +1,33 @@
+title: Suspicious Process Start Without DLL
+id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
+description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity
+status: experimental
+references:
+ - https://twitter.com/CyberRaiju/status/1251492025678983169
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
+ - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
+ - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
+author: Florian Roth
+date: 2021/05/27
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|endswith:
+ - '\rundll32.exe'
+ - '\regsvcs.exe'
+ - '\regasm.exe'
+ - '\regsvr32.exe'
+ filter1:
+ ParentImage|contains:
+ - '\AppData\Local\'
+ - '\Microsoft\Edge\'
+ condition: selection and not filter1
+fields:
+ - ParentImage
+ - ParentCommandLine
+falsepositives:
+ - Possible but rare
+level: high
diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
deleted file mode 100644
index fef504ffc45..00000000000
--- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Suspicious Program Location Process Starts
-id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5
-status: experimental
-description: Detects programs running in suspicious files system locations
-references:
- - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
-tags:
- - attack.defense_evasion
- - attack.t1036
-author: Florian Roth
-date: 2019/01/15
-logsource:
- category: process_creation
- product: windows
-detection:
- selection:
- Image:
- - '*\$Recycle.bin'
- - '*\Users\Public\\*'
- - 'C:\Perflogs\\*'
- - '*\Windows\Fonts\\*'
- - '*\Windows\IME\\*'
- - '*\Windows\addins\\*'
- - '*\Windows\debug\\*'
- condition: selection
-falsepositives:
- - unknown
-level: high
diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml
index b110943c14e..bf9c48a62a7 100644
--- a/rules/windows/process_creation/win_susp_ps_appdata.yml
+++ b/rules/windows/process_creation/win_susp_ps_appdata.yml
@@ -8,17 +8,22 @@ references:
tags:
- attack.execution
- attack.t1059.001
- - attack.t1086 # an old one
-author: Florian Roth
+ - attack.t1086 # an old one
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/01/09
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '* /c powershell*\AppData\Local\\*'
- - '* /c powershell*\AppData\Roaming\\*'
+ CommandLine|contains|all:
+ - '/c'
+ - 'powershell'
+ - '\AppData\'
+ CommandLine|contains:
+ - 'Local\'
+ - 'Roaming\'
condition: selection
falsepositives:
- Administrative scripts
diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
new file mode 100644
index 00000000000..404f2d7a335
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
@@ -0,0 +1,34 @@
+title: PsExec/PAExec Flags
+id: 207b0396-3689-42d9-8399-4222658efc99
+status: experimental
+description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
+references:
+ - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
+ - https://www.poweradmin.com/paexec/
+ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+author: Florian Roth
+date: 2021/05/22
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_flags_1: # Escalation to LOCAL_SYSTEM
+ CommandLine|contains|all:
+ - '\\127.0.0.1'
+ - ' -s '
+ - 'cmd.exe'
+ selection_flags_2:
+ CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks
+ - ' /accepteula '
+ - 'cmd /c '
+ - ' -u '
+ - ' -p '
+ filter:
+ CommandLine|contains:
+ - 'paexec'
+ - 'PsExec'
+ condition: ( selection_flags_1 or selection_flags_2 ) and not filter
+falsepositives:
+ - Weird admins that rename their tools
+ - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
+level: high
diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml
index 67e7d2e28fd..16413091f82 100644
--- a/rules/windows/process_creation/win_susp_rar_flags.yml
+++ b/rules/windows/process_creation/win_susp_rar_flags.yml
@@ -11,8 +11,7 @@ tags:
- attack.collection
- attack.t1560.001
- attack.exfiltration # an old one
- - attack.t1002 # an old one
-
+ - attack.t1002 # an old one
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml
new file mode 100644
index 00000000000..b6e35d7a2b3
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rclone_exec.yml
@@ -0,0 +1,37 @@
+title: Rclone Execution via Command Line or PowerShell
+id: cb7286ba-f207-44ab-b9e6-760d82b84253
+description: Detects Rclone which is commonly used by ransomware groups for exfiltration
+status: experimental
+date: 2021/05/26
+author: Aaron Greetham (@beardofbinary) - NCC Group
+references:
+ - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+tags:
+ - attack.exfiltration
+ - attack.t1567.002
+falsepositives:
+ - Legitimate Rclone usage (rare)
+level: high
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ exec_selection:
+ Image|endswith: '\rclone.exe'
+ ParentImage|endswith:
+ - '\PowerShell.exe'
+ - '\cmd.exe'
+ command_selection:
+ CommandLine|contains:
+ - ' pass '
+ - ' user '
+ - ' copy '
+ - ' mega '
+ - ' sync '
+ - ' config '
+ - ' lsd '
+ - ' remote '
+ - ' ls '
+ description_selection:
+ Description: 'Rsync for cloud storage'
+ condition: command_selection and ( description_selection or exec_selection )
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
new file mode 100644
index 00000000000..f6dc1360258
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
@@ -0,0 +1,20 @@
+title: Regedit as Trusted Installer
+id: 883835a7-df45-43e4-bf1d-4268768afda4
+description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
+references:
+ - https://twitter.com/1kwpeter/status/1397816101455765504
+author: Florian Roth
+date: 2021/05/27
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ ParentImage|endswith:
+ - '\TrustedInstaller.exe'
+ - '\ProcessHacker.exe'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/process_creation/win_susp_register_cimprovider.yml b/rules/windows/process_creation/win_susp_register_cimprovider.yml
new file mode 100644
index 00000000000..5244e22ffdf
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_register_cimprovider.yml
@@ -0,0 +1,28 @@
+title: DLL Execution Via Register-cimprovider.exe
+id: a2910908-e86f-4687-aeba-76a5f996e652
+status: experimental
+description: Detects using register-cimprovider.exe to execute arbitrary dll file.
+references:
+ - https://twitter.com/PhilipTsukerman/status/992021361106268161
+ - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md
+tags:
+ - attack.defense_evasion
+ - attack.t1574
+author: Ivan Dyachkov, Yulia Fomina, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+ definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events'
+detection:
+ selection:
+ Image|endswith: '\register-cimprovider.exe'
+ CommandLine|contains|all:
+ - '-path'
+ - 'dll'
+ condition: selection
+fields:
+ - CommandLine
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
index b4e4cc09b19..8f8353422bc 100644
--- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
+++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
@@ -2,9 +2,9 @@ title: Regsvr32 Anomaly
id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
status: experimental
description: Detects various anomalies in relation to regsvr32.exe
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2019/01/16
-modified: 2020/08/28
+modified: 2020/11/28
references:
- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
tags:
@@ -14,31 +14,33 @@ tags:
- attack.t1117 # an old one
- car.2019-04-002
- car.2019-04-003
-
logsource:
category: process_creation
product: windows
detection:
selection1:
- Image: '*\regsvr32.exe'
- CommandLine: '*\Temp\\*'
+ Image|endswith: '\regsvr32.exe'
+ CommandLine|contains: '\Temp\'
selection2:
- Image: '*\regsvr32.exe'
- ParentImage: '*\powershell.exe'
+ Image|endswith: '\regsvr32.exe'
+ ParentImage|endswith: '\powershell.exe'
selection3:
- Image: '*\regsvr32.exe'
- ParentImage: '*\cmd.exe'
+ Image|endswith: '\regsvr32.exe'
+ ParentImage|endswith: '\cmd.exe'
selection4:
- Image: '*\regsvr32.exe'
- CommandLine:
- - '*/i:http* scrobj.dll'
- - '*/i:ftp* scrobj.dll'
+ Image|endswith: '\regsvr32.exe'
+ CommandLine|contains|all:
+ - '/i:'
+ CommandLine|contains:
+ - 'http'
+ - 'ftp'
+ CommandLine|endswith: 'scrobj.dll'
selection5:
- Image: '*\wscript.exe'
- ParentImage: '*\regsvr32.exe'
+ Image|endswith: '\wscript.exe'
+ ParentImage|endswith: '\regsvr32.exe'
selection6:
- Image: '*\EXCEL.EXE'
- CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
+ Image|endswith: '\EXCEL.EXE'
+ CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe '
condition: 1 of them
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml
index dcab5bd6375..f421c1cd61b 100644
--- a/rules/windows/process_creation/win_susp_renamed_debugview.yml
+++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml
@@ -15,7 +15,7 @@ detection:
- 'Sysinternals DebugView'
- 'Sysinternals Debugview'
filter:
- OriginalFilename: 'Dbgview.exe'
+ OriginalFileName: 'Dbgview.exe'
Image|endswith: '\Dbgview.exe'
condition: selection and not filter
falsepositives:
diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml
new file mode 100644
index 00000000000..cc1d5f2090b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml
@@ -0,0 +1,25 @@
+title: Renamed PAExec
+id: c4e49831-1496-40cf-8ce1-b53f942b02f9
+status: experimental
+description: Detects suspicious renamed PAExec execution as often used by attackers
+references:
+ - https://www.poweradmin.com/paexec/
+author: Florian Roth
+date: 2021/05/22
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Description: 'PAExec Application'
+ selection2:
+ OriginalFilename: 'PAExec.exe'
+ filter:
+ Image|endswith:
+ - '\PAexec.exe'
+ - '\paexec.exe'
+ condition: ( selection1 or selection2 ) and not filter
+falsepositives:
+ - Weird admins that rename their tools
+ - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
+level: high
diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml
new file mode 100644
index 00000000000..f8656ab4eed
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rpcping.yml
@@ -0,0 +1,41 @@
+title: Capture Credentials with Rpcping.exe
+id: 93671f99-04eb-4ab4-a161-70d446a84003
+description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
+status: experimental
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
+ - https://twitter.com/vysecurity/status/974806438316072960
+ - https://twitter.com/vysecurity/status/873181705024266241
+ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+tags:
+ - attack.credential_access
+ - attack.t1003
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ use_rpcping:
+ Image|endswith: '\rpcping.exe'
+ remote_server:
+ CommandLine|contains:
+ - '-s'
+ - '/s'
+ ntlm_auth:
+ - CommandLine|contains|all:
+ - '-u'
+ - 'NTLM'
+ - CommandLine|contains|all:
+ - '/u'
+ - 'NTLM'
+ - CommandLine|contains|all:
+ - '-t'
+ - 'ncacn_np'
+ - CommandLine|contains|all:
+ - '/t'
+ - 'ncacn_np'
+ condition: use_rpcping and remote_server and ntlm_auth
+level: medium
+falsepositives:
+ - Unlikely
diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml
index c00c297d42f..2119c1e0eb1 100644
--- a/rules/windows/process_creation/win_susp_run_locations.yml
+++ b/rules/windows/process_creation/win_susp_run_locations.yml
@@ -4,8 +4,9 @@ description: Detects suspicious process run from unusual locations
status: experimental
references:
- https://car.mitre.org/wiki/CAR-2013-05-002
-author: juju4
+author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1036
@@ -15,18 +16,18 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*:\RECYCLER\\*'
- - '*:\SystemVolumeInformation\\*'
- - 'C:\\Windows\\Tasks\\*'
- - 'C:\\Windows\\debug\\*'
- - 'C:\\Windows\\fonts\\*'
- - 'C:\\Windows\\help\\*'
- - 'C:\\Windows\\drivers\\*'
- - 'C:\\Windows\\addins\\*'
- - 'C:\\Windows\\cursors\\*'
- - 'C:\\Windows\\system32\tasks\\*'
-
+ - Image|contains:
+ - ':\RECYCLER\'
+ - ':\SystemVolumeInformation\'
+ - Image|startswith:
+ - 'C:\Windows\Tasks\'
+ - 'C:\Windows\debug\'
+ - 'C:\Windows\fonts\'
+ - 'C:\Windows\help\'
+ - 'C:\Windows\drivers\'
+ - 'C:\Windows\addins\'
+ - 'C:\Windows\cursors\'
+ - 'C:\Windows\system32\tasks\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml
index 5e810d444ad..f04faf4d739 100644
--- a/rules/windows/process_creation/win_susp_rundll32_activity.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml
@@ -11,27 +11,67 @@ tags:
- attack.execution # an old one
- attack.t1218.011
- attack.t1085 # an old one
-author: juju4
+author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '*\rundll32.exe* url.dll,*OpenURL *'
- - '*\rundll32.exe* url.dll,*OpenURLA *'
- - '*\rundll32.exe* url.dll,*FileProtocolHandler *'
- - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
- - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
- - '*\rundll32.exe javascript:*'
- - '* url.dll,*OpenURL *'
- - '* url.dll,*OpenURLA *'
- - '* url.dll,*FileProtocolHandler *'
- - '* zipfldr.dll,*RouteTheCall *'
- - '* Shell32.dll,*Control_RunDLL *'
- - '* javascript:*'
- - '*.RegisterXLL*'
+ - CommandLine|contains:
+ - 'javascript:'
+ - '.RegisterXLL'
+ - CommandLine|contains|all:
+ - 'url.dll'
+ - 'OpenURL'
+ - CommandLine|contains|all:
+ - 'url.dll'
+ - 'OpenURLA'
+ - CommandLine|contains|all:
+ - 'url.dll'
+ - 'FileProtocolHandler'
+ - CommandLine|contains|all:
+ - 'zipfldr.dll'
+ - 'RouteTheCall'
+ - CommandLine|contains|all:
+ - 'shell32.dll'
+ - 'Control_RunDLL'
+ - CommandLine|contains|all:
+ - 'shell32.dll'
+ - 'ShellExec_RunDLL'
+ - CommandLine|contains|all:
+ - 'mshtml.dll'
+ - 'PrintHTML'
+ - CommandLine|contains|all:
+ - 'advpack.dll'
+ - 'LaunchINFSection'
+ - CommandLine|contains|all:
+ - 'advpack.dll'
+ - 'RegisterOCX'
+ - CommandLine|contains|all:
+ - 'ieadvpack.dll'
+ - 'LaunchINFSection'
+ - CommandLine|contains|all:
+ - 'ieadvpack.dll'
+ - 'RegisterOCX'
+ - CommandLine|contains|all:
+ - 'ieframe.dll'
+ - 'OpenURL'
+ - CommandLine|contains|all:
+ - 'shdocvw.dll'
+ - 'OpenURL'
+ - CommandLine|contains|all:
+ - 'syssetup.dll'
+ - SetupInfObjectInstallAction'
+ - CommandLine|contains|all:
+ - 'setupapi.dll'
+ - 'InstallHinfSection'
+ - CommandLine|contains|all:
+ - 'pcwutl.dll'
+ - 'LaunchApplication'
+ - CommandLine|contains|all:
+ - 'dfshim.dll'
+ - 'ShOpenVerbApplication'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
index 3e011659637..e51a968d916 100644
--- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
@@ -1,7 +1,7 @@
title: Suspicious Call by Ordinal
id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
-status: experimental
+status: stable
references:
- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
- https://github.com/Neo23x0/DLLRunner
@@ -13,13 +13,20 @@ tags:
- attack.t1085 # an old one
author: Florian Roth
date: 2019/10/22
+modified: 2021/04/29
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine: '*\rundll32.exe *,#*'
- condition: selection
+ CommandLine|contains|all:
+ - '\rundll32.exe'
+ - ',#'
+ filter:
+ CommandLine|contains|all:
+ - 'EDGEHTML.dll'
+ - '#141'
+ condition: selection and not filter
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
- Windows control panel elements have been identified as source (mmc)
diff --git a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
new file mode 100644
index 00000000000..e85f144ea88
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
@@ -0,0 +1,22 @@
+title: Suspicious Rundll32 Invoking Inline VBScript
+id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
+description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
+status: experimental
+references:
+ - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+author: Florian Roth
+date: 2021/03/05
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'rundll32.exe'
+ - 'Execute'
+ - 'RegRead'
+ - 'window.close'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
new file mode 100644
index 00000000000..b45e3b4e019
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
@@ -0,0 +1,27 @@
+title: Suspicious Rundll32 Without Any CommandLine Params
+id: 1775e15e-b61b-4d14-a1a3-80981298085a
+description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
+status: experimental
+references:
+ - https://www.cobaltstrike.com/help-opsec
+author: Florian Roth
+date: 2021/05/27
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|endswith: '\rundll32.exe'
+ filter1:
+ ParentImage|endswith: '\svchost.exe'
+ filter2:
+ ParentImage|contains:
+ - '\AppData\Local\'
+ - '\Microsoft\Edge\'
+ condition: selection and not filter1 and not filter2
+fields:
+ - ParentImage
+ - ParentCommandLine
+falsepositives:
+ - Possible but rare
+level: high
diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml
new file mode 100644
index 00000000000..f1f6dafe90b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml
@@ -0,0 +1,35 @@
+title: Suspicious Rundll32 Setupapi.dll Activity
+id: 285b85b1-a555-4095-8652-a8a4106af63f
+description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers.
+ This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references)
+ InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
+status: experimental
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/07
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
+ - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+ - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+ - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\runonce.exe'
+ ParentImage|endswith: '\rundll32.exe'
+ ParentCommandLine|contains|all:
+ - 'setupapi.dll'
+ - 'InstallHinfSection'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Scripts and administrative tools that use INF files for driver installation with setupapi.dll
+level: medium
diff --git a/rules/windows/process_creation/win_susp_rundll32_sys.yml b/rules/windows/process_creation/win_susp_rundll32_sys.yml
new file mode 100644
index 00000000000..a59cfd3c28f
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rundll32_sys.yml
@@ -0,0 +1,25 @@
+title: Suspicious Rundll32 Activity Invoking Sys File
+id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
+description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
+status: experimental
+references:
+ - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
+author: Florian Roth
+date: 2021/03/05
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains: 'rundll32.exe'
+ selection2:
+ CommandLine|contains:
+ - '.sys,'
+ - '.sys '
+ condition: selection1 and selection2
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_runonce_execution.yml b/rules/windows/process_creation/win_susp_runonce_execution.yml
new file mode 100644
index 00000000000..f36b66f6f2c
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_runonce_execution.yml
@@ -0,0 +1,29 @@
+title: Run Once Task Execution as Configured in Registry
+id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
+description: This rule detects the execution of Run Once task as configured in the registry
+author: 'Avneet Singh @v3t0_, oscd.community'
+status: experimental
+date: 2020/10/18
+references:
+ - https://twitter.com/pabraeken/status/990717080805789697
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ process_name:
+ Image|endswith:
+ - '\runonce.exe'
+ process_description:
+ Description:
+ - 'Run Once Wrapper'
+ command_line:
+ CommandLine|contains:
+ - ' /AlternateShellStartup'
+ condition: (process_name or process_description) and command_line
+falsepositives:
+ - Unknown
+level: low
diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml
new file mode 100644
index 00000000000..3bea7fb7ed4
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_runscripthelper.yml
@@ -0,0 +1,27 @@
+title: Suspicious Runscripthelper.exe
+id: eca49c87-8a75-4f13-9c73-a5a29e845f03
+status: experimental
+description: Detects execution of powershell scripts via Runscripthelper.exe
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\Runscripthelper.exe'
+ cmd:
+ CommandLine|contains: 'surfacecheck'
+ condition: image_path and cmd
+fields:
+ - CommandLine
+tags:
+ - attack.execution
+ - attack.t1059
+ - attack.defense_evasion
+ - attack.t1202
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml
index 491f18dd08a..1647d2f54b8 100644
--- a/rules/windows/process_creation/win_susp_schtask_creation.yml
+++ b/rules/windows/process_creation/win_susp_schtask_creation.yml
@@ -9,8 +9,8 @@ logsource:
product: windows
detection:
selection:
- Image: '*\schtasks.exe'
- CommandLine: '* /create *'
+ Image|endswith: '\schtasks.exe'
+ CommandLine|contains: ' /create '
filter:
User: NT AUTHORITY\SYSTEM
condition: selection and not filter
diff --git a/rules/windows/process_creation/win_susp_schtask_creation_temp_folder.yml b/rules/windows/process_creation/win_susp_schtask_creation_temp_folder.yml
new file mode 100644
index 00000000000..65fda53ba75
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_schtask_creation_temp_folder.yml
@@ -0,0 +1,30 @@
+title: Suspicious Scheduled Task Creation Involving Temp Folder
+id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
+status: experimental
+description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
+author: Florian Roth
+date: 2021/03/11
+references:
+ - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\schtasks.exe'
+ CommandLine|contains|all:
+ - ' /create '
+ - ' /sc once '
+ - '\Temp\'
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+tags:
+ - attack.execution
+ - attack.persistence
+ - attack.t1053.005
+falsepositives:
+ - Administrative activity
+ - Software installation
+level: high
diff --git a/rules/windows/process_creation/win_susp_service_dacl_modification.yml b/rules/windows/process_creation/win_susp_service_dacl_modification.yml
new file mode 100644
index 00000000000..82f5e0f3522
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_service_dacl_modification.yml
@@ -0,0 +1,33 @@
+title: Suspicious Service DACL Modification
+id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
+description: Detects suspicious DACL modifications that can be used to hide services or make them unstopable
+author: Jonhnathan Ribeiro, oscd.community
+status: experimental
+date: 2020/10/16
+references:
+ - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
+ - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
+tags:
+ - attack.persistence
+ - attack.t1543.003
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\sc.exe'
+ CommandLine|contains|all:
+ - 'sdset'
+ - 'D;;'
+ sids:
+ CommandLine|contains:
+ - ';;;IU'
+ - ';;;SU'
+ - ';;;BA'
+ - ';;;SY'
+ - ';;;WD'
+ condition: selection and sids
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_service_dir.yml b/rules/windows/process_creation/win_susp_service_dir.yml
new file mode 100644
index 00000000000..bc04c1e4b83
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_service_dir.yml
@@ -0,0 +1,32 @@
+title: Suspicious Service Binary Directory
+id: 883faa95-175a-4e22-8181-e5761aeb373c
+description: Detects a service binary running in a suspicious directory
+author: Florian Roth
+date: 2021/03/09
+status: experimental
+references:
+ - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|contains:
+ - '\Users\Public\'
+ - '\$Recycle.bin'
+ - '\Users\All Users\'
+ - '\Users\Default\'
+ - '\Users\Contacts\'
+ - '\Users\Searches\'
+ - 'C:\Perflogs\'
+ - '\config\systemprofile\'
+ - '\Windows\Fonts\'
+ - '\Windows\IME\'
+ - '\Windows\addins\'
+ ParentImage|endswith:
+ - '\services.exe'
+ - '\svchost.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml
index 8218f2a88f2..198851a1330 100644
--- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml
+++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml
@@ -2,8 +2,9 @@ title: Suspicious Shells Spawn by SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
status: experimental
-author: FPT.EagleEye Team
+author: FPT.EagleEye Team, wagga
date: 2020/12/11
+modified: 2021/06/27
tags:
- attack.t1100
- attack.t1190
@@ -15,12 +16,12 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\sqlservr.exe'
- Image:
- - '*\cmd.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\powershell.exe'
- - '*\bitsadmin.exe'
+ ParentImage|endswith: '\sqlservr.exe'
+ Image|endswith:
+ - '\cmd.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\powershell.exe'
+ - '\bitsadmin.exe'
condition: selection
level: critical
diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
new file mode 100644
index 00000000000..41b2a3c2e8a
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
@@ -0,0 +1,28 @@
+title: Dumping Process via Sqldumper.exe
+id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
+description: Detects process dump via legitimate sqldumper.exe binary
+status: experimental
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
+ - https://twitter.com/countuponsec/status/910977826853068800
+ - https://twitter.com/countuponsec/status/910969424215232518
+ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
+author: Kirill Kiryanov, oscd.community
+date: 2020/10/08
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\sqldumper.exe'
+ CommandLine|contains:
+ - '0x0110'
+ - '0x01100:40'
+ condition: selection
+falsepositives:
+ - Legitimate MSSQL Server actions
+level: medium
+
diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
index b0778818716..f64de8c5dca 100644
--- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
@@ -9,9 +9,9 @@ tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
-author: Karneades / Markus Neis
+author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2019/11/12
-modified: 2020/08/28
+modified: 2020/11/28
falsepositives:
- 1Clipboard
- Beaker Browser
@@ -51,10 +51,11 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
- CommandLine:
- - '*--processStart*.exe*'
- - '*--processStartAndWait*.exe*'
- - '*--createShortcut*.exe*'
+ Image|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
+ CommandLine|contains:
+ - '--processStart'
+ - '--processStartAndWait'
+ - '--createShortcut'
+ CommandLine|contains|all:
+ - '.exe'
condition: selection
diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml
index 717a7bea2ac..39c9ae4cf68 100644
--- a/rules/windows/process_creation/win_susp_svchost.yml
+++ b/rules/windows/process_creation/win_susp_svchost.yml
@@ -14,14 +14,14 @@ logsource:
product: windows
detection:
selection:
- Image: '*\svchost.exe'
+ Image|endswith: '\svchost.exe'
filter:
- ParentImage:
- - '*\services.exe'
- - '*\MsMpEng.exe'
- - '*\Mrt.exe'
- - '*\rpcnet.exe'
- - '*\svchost.exe'
+ ParentImage|endswith:
+ - '\services.exe'
+ - '\MsMpEng.exe'
+ - '\Mrt.exe'
+ - '\rpcnet.exe'
+ - '\svchost.exe'
filter_null:
ParentImage: null
condition: selection and not filter and not filter_null
diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
index 68c4260f4ad..dea91d765cf 100644
--- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml
+++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
@@ -15,9 +15,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\sysprep.exe *\AppData\\*'
- - sysprep.exe *\AppData\\*
+ Image|endswith:
+ - '\sysprep.exe'
+ CommandLine|contains:
+ - '\AppData\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml
index 3c8c2be8373..f6ac9d33112 100644
--- a/rules/windows/process_creation/win_susp_sysvol_access.yml
+++ b/rules/windows/process_creation/win_susp_sysvol_access.yml
@@ -5,9 +5,9 @@ description: Detects Access to Domain Group Policies stored in SYSVOL
references:
- https://adsecurity.org/?p=2288
- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
-author: Markus Neis
+author: Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2018/04/09
-modified: 2020/08/28
+modified: 2020/11/28
tags:
- attack.credential_access
- attack.t1552.006
@@ -17,7 +17,9 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*\SYSVOL\\*\policies\\*'
+ CommandLine|contains|all:
+ - '\SYSVOL\'
+ - '\policies\'
condition: selection
falsepositives:
- administrative activity
diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
index 4b515c7f8f2..4ac61fed999 100644
--- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
+++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
@@ -13,7 +13,7 @@ logsource:
detection:
selection:
User: NT AUTHORITY\SYSTEM
- Image: '*\taskmgr.exe'
+ Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml
index 70d85212350..f5819723908 100644
--- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml
+++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml
@@ -12,12 +12,12 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\taskmgr.exe'
+ ParentImage|endswith: '\taskmgr.exe'
filter:
- Image:
- - '*\resmon.exe'
- - '*\mmc.exe'
- - '*\taskmgr.exe'
+ Image|endswith:
+ - '\resmon.exe'
+ - '\mmc.exe'
+ - '\taskmgr.exe'
condition: selection and not filter
fields:
- Image
diff --git a/rules/windows/process_creation/win_susp_tracker_execution.yml b/rules/windows/process_creation/win_susp_tracker_execution.yml
new file mode 100644
index 00000000000..08ef303cc38
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_tracker_execution.yml
@@ -0,0 +1,31 @@
+title: DLL Injection with Tracker.exe
+id: 148431ce-4b70-403d-8525-fcc2993f29ea
+description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe
+author: 'Avneet Singh @v3t0_, oscd.community'
+status: experimental
+date: 2020/10/18
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml
+tags:
+ - attack.defense_evasion
+ - attack.t1055.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ process_name:
+ Image|endswith:
+ - '\tracker.exe'
+ process_description:
+ Description:
+ - 'Tracker'
+ commandline_param1:
+ CommandLine|contains:
+ - ' /d '
+ commandline_param2:
+ CommandLine|contains:
+ - ' /c '
+ condition: (process_name or process_description) and commandline_param1 and commandline_param2
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml
index 6691257e4fd..b11145b6106 100644
--- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml
+++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml
@@ -16,7 +16,7 @@ logsource:
detection:
selection:
User: NT AUTHORITY\SYSTEM
- Image: '*\tscon.exe'
+ Image|endswith: '\tscon.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
index 927cbef6238..15b5dfc311e 100644
--- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
+++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
@@ -19,7 +19,7 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '* /dest:rdp-tcp:*'
+ CommandLine|contains: ' /dest:rdp-tcp:'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml
new file mode 100644
index 00000000000..28b3928a031
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml
@@ -0,0 +1,31 @@
+title: Detection of PowerShell Execution via Sqlps.exe
+id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
+status: experimental
+description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
+references:
+ - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
+ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
+ - https://twitter.com/bryon_/status/975835709587075072
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.defense_evasion
+ - attack.t1127
+author: 'Agro (@agro_sev) oscd.community'
+date: 2020/10/10
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\sqlps.exe'
+ selection2:
+ ParentImage|endswith: '\sqlps.exe'
+ selection3:
+ OriginalFileName: '\sqlps.exe'
+ reduction:
+ ParentImage|endswith: '\sqlagent.exe'
+ condition: selection1 or selection2 or selection3 and not reduction
+falsepositives:
+ - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
+level: medium
diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml
new file mode 100644
index 00000000000..0e74bea2b5b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml
@@ -0,0 +1,31 @@
+title: SQL Client Tools PowerShell Session Detection
+id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
+status: experimental
+description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml
+ - https://twitter.com/pabraeken/status/993298228840992768
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.defense_evasion
+ - attack.t1127
+author: 'Agro (@agro_sev) oscd.communitly'
+date: 2020/10/13
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\sqltoolsps.exe'
+ selection2:
+ ParentImage|endswith: '\sqltoolsps.exe'
+ selection3:
+ OriginalFileName: '\sqltoolsps.exe'
+ reduction:
+ ParentImage|endswith: '\smss.exe'
+ condition: selection1 or selection2 or selection3 and not reduction
+falsepositives:
+ - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
+level: medium
+
diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml
new file mode 100644
index 00000000000..d74b74b0b55
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml
@@ -0,0 +1,27 @@
+title: Malicious Windows Script Components File Execution by TAEF Detection
+id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
+status: experimental
+description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml
+ - https://twitter.com/pabraeken/status/993298228840992768
+ - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/
+tags:
+ - attack.t1218
+author: 'Agro (@agro_sev) oscd.community'
+date: 2020/10/13
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\te.exe'
+ selection2:
+ ParentImage|endswith: '\te.exe'
+ selection3:
+ OriginalFileName: '\te.exe'
+ condition: selection1 or selection2 or selection3
+falsepositives:
+ - It's not an uncommon to use te.exe directly to execute legal TAEF tests
+level: low
+
diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
new file mode 100644
index 00000000000..529aff91d86
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
@@ -0,0 +1,28 @@
+title: Malicious PE Execution by Microsoft Visual Studio Debugger
+id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
+status: experimental
+description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
+references:
+ - https://twitter.com/pabraeken/status/990758590020452353
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml
+ - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+tags:
+ - attack.t1218
+ - attack.defense_evasion
+author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
+date: 2020/10/14
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\vsjitdebugger.exe'
+ reduction1:
+ ChildImage|endswith: '\vsimmersiveactivatehelper*.exe'
+ reduction2:
+ ChildImage|endswith: '\devenv.exe'
+ condition: selection and not (reduction1 or reduction2)
+falsepositives:
+ - the process spawned by vsjitdebugger.exe is uncommon.
+level: medium
+
diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml
index c07a989c668..1b22804ee7d 100644
--- a/rules/windows/process_creation/win_susp_userinit_child.yml
+++ b/rules/windows/process_creation/win_susp_userinit_child.yml
@@ -6,16 +6,17 @@ references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (rule), Samir Bousseaden (idea)
date: 2019/06/17
+modified: 2021/06/27
logsource:
category: process_creation
product: windows
detection:
selection:
- ParentImage: '*\userinit.exe'
+ ParentImage|endswith: '\userinit.exe'
filter1:
- CommandLine: '*\\netlogon\\*'
+ CommandLine|contains: '\netlogon\'
filter2:
- Image: '*\explorer.exe'
+ Image|endswith: '\explorer.exe'
condition: selection and not filter1 and not filter2
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml
new file mode 100644
index 00000000000..024b5149954
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml
@@ -0,0 +1,31 @@
+title: Suspicious VBoxDrvInst.exe Parameters
+id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
+description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers.
+ For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
+status: experimental
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+ - https://twitter.com/pabraeken/status/993497996179492864
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\VBoxDrvInst.exe'
+ CommandLine|contains|all:
+ - 'driver'
+ - 'executeinf'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
+level: medium
diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml
new file mode 100644
index 00000000000..d224ddbf9fa
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml
@@ -0,0 +1,26 @@
+title: Suspicious VBScript UN2452 Pattern
+id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
+description: Detects suspicious inline VBScript keywords as used by UNC2452
+status: experimental
+references:
+ - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+author: Florian Roth
+date: 2021/03/05
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'Execute'
+ - 'CreateObject'
+ - 'RegRead'
+ - 'window.close'
+ - '\Microsoft\Windows\CurrentVersion'
+ filter:
+ CommandLine|contains:
+ - '\Software\Microsoft\Windows\CurrentVersion\Run'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml
index 1d3ec9ced87..5fab95fae44 100644
--- a/rules/windows/process_creation/win_susp_whoami.yml
+++ b/rules/windows/process_creation/win_susp_whoami.yml
@@ -16,11 +16,12 @@ logsource:
product: windows
detection:
selection:
- Image: '*\whoami.exe'
+ Image|endswith: '\whoami.exe'
selection2:
OriginalFileName: 'whoami.exe'
condition: selection or selection2
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
-level: high
+ - Monitoring activity
+level: medium
diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml
new file mode 100644
index 00000000000..5ed592814c7
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml
@@ -0,0 +1,47 @@
+action: global
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
+status: experimental
+references:
+ - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+level: medium
+falsepositives:
+ - Unlikely
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ contains_format_pretty_arg:
+ CommandLine|contains:
+ - 'format:pretty'
+ - 'format:"pretty"'
+ - 'format:"text"'
+ - 'format:text'
+ image_from_system_folder:
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ contains_winrm:
+ CommandLine|contains: 'winrm'
+ condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
+---
+logsource:
+ product: windows
+ category: file_event
+detection:
+ system_files:
+ TargetFilename|endswith:
+ - 'WsmPty.xsl'
+ - 'WsmTxt.xsl'
+ in_system_folder:
+ TargetFilename|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ condition: system_files and not in_system_folder
diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml
new file mode 100644
index 00000000000..2ecb2b39eb8
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_winrm_execution.yml
@@ -0,0 +1,27 @@
+title: Remote Code Execute via Winrm.vbs
+id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
+description: Detects an attempt to execude code or create service on remote host via winrm.vbs.
+status: experimental
+references:
+ - https://twitter.com/bohops/status/994405551751815170
+ - https://redcanary.com/blog/lateral-movement-winrm-wmi/
+author: Julia Fomina, oscd.community
+date: 2020/10/07
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\cscript.exe'
+ CommandLine|contains|all:
+ - 'winrm'
+ - 'invoke Create wmicimv2/Win32_'
+ - '-r:http'
+ condition: selection
+level: medium
+falsepositives:
+ - Legitimate use for administartive purposes. Unlikely
+
diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml
index 3c33aca3b6a..c6316f7a623 100644
--- a/rules/windows/process_creation/win_susp_wmi_execution.yml
+++ b/rules/windows/process_creation/win_susp_wmi_execution.yml
@@ -6,21 +6,31 @@ references:
- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
-author: Michael Haag, Florian Roth, juju4
+author: Michael Haag, Florian Roth, juju4, oscd.community
date: 2019/01/16
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
selection:
- Image:
- - '*\wmic.exe'
- CommandLine:
- - '*/NODE:*process call create *'
- - '* path AntiVirusProduct get *'
- - '* path FirewallProduct get *'
- - '* shadowcopy delete *'
- condition: selection
+ Image|endswith: '\wmic.exe'
+ selection2:
+ CommandLine|contains|all:
+ - 'process'
+ - 'call'
+ - 'create '
+ recon_part1:
+ CommandLine|contains: ' path '
+ recon_part2:
+ CommandLine|contains:
+ - 'AntiVirus'
+ - 'Firewall'
+ CommandLine|contains|all:
+ - 'Product'
+ - ' get '
+ condition: (selection and selection2) or
+ (selection and recon_part1 and recon_part2)
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml b/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml
new file mode 100644
index 00000000000..17d3021c5e5
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml
@@ -0,0 +1,27 @@
+title: Suspicious WMIC ActiveScriptEventConsumer Creation
+id: ebef4391-1a81-4761-a40a-1db446c0e625
+status: experimental
+description: Detects WMIC executions in which a event consumer gets created in order to establish persistence
+references:
+ - https://twitter.com/johnlatwc/status/1408062131321270282?s=12
+ - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
+author: Florian Roth
+date: 2021/06/25
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'ActiveScriptEventConsumer'
+ - ' CREATE '
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+tags:
+ - attack.persistence
+ - attack.t1546.003
+falsepositives:
+ - Legitimate software creating script event consumers
+level: high
diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
new file mode 100644
index 00000000000..71c561a9b2c
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
@@ -0,0 +1,27 @@
+title: WSL Execution
+id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+status: experimental
+description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
+references:
+ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1218
+ - attack.t1202
+author: 'oscd.community, Zach Stanford @svch0st'
+date: 2020/10/05
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\wsl.exe'
+ CommandLine|contains:
+ - ' -e '
+ - ' --exec '
+ condition: selection
+falsepositives:
+ - Automation and orchestration scripts may use this method execute scripts etc
+level: medium
diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml
index dde4a5f13ef..9d36bc717e2 100644
--- a/rules/windows/process_creation/win_susp_wuauclt.yml
+++ b/rules/windows/process_creation/win_susp_wuauclt.yml
@@ -6,6 +6,7 @@ references:
- https://dtm.uk/wuauclt/
author: FPT.EagleEye Team
date: 2020/10/17
+modified: 2021/05/12
tags:
- attack.command_and_control
- attack.execution
@@ -13,10 +14,10 @@ tags:
- attack.t1218
logsource:
product: windows
- service: process_creation
+ category: process_creation
detection:
selection:
- ProcessCommandline|contains|all:
+ ProcessCommandLine|contains|all:
- '/UpdateDeploymentProvider'
- '/RunHandlerComServer'
Image|endswith:
@@ -24,4 +25,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml
new file mode 100644
index 00000000000..203fefb9273
--- /dev/null
+++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml
@@ -0,0 +1,30 @@
+action: global
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+id: fde7929d-8beb-4a4c-b922-be9974671667
+description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
+date: 2020/10/05
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+detection:
+ condition: selection
+falsepositives:
+ - App-V clients
+level: medium
+---
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ Image|endswith: '\SyncAppvPublishingServer.exe'
+---
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ Message|contains: 'SyncAppvPublishingServer.exe'
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 41475ce2538..da03e08cd54 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects a Windows program executable started in a suspicious folder
references:
- https://twitter.com/GelosSnake/status/934900723426439170
-author: Florian Roth, Patrick Bareiss
+author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
date: 2017/11/27
modified: 2021/03/02
tags:
@@ -15,40 +15,40 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\svchost.exe'
- - '*\rundll32.exe'
- - '*\services.exe'
- - '*\powershell.exe'
- - '*\regsvr32.exe'
- - '*\spoolsv.exe'
- - '*\lsass.exe'
- - '*\smss.exe'
- - '*\csrss.exe'
- - '*\conhost.exe'
- - '*\wininit.exe'
- - '*\lsm.exe'
- - '*\winlogon.exe'
- - '*\explorer.exe'
- - '*\taskhost.exe'
- - '*\Taskmgr.exe'
- - '*\sihost.exe'
- - '*\RuntimeBroker.exe'
- - '*\smartscreen.exe'
- - '*\dllhost.exe'
- - '*\audiodg.exe'
- - '*\wlanext.exe'
+ Image|endswith:
+ - '\svchost.exe'
+ - '\rundll32.exe'
+ - '\services.exe'
+ - '\powershell.exe'
+ - '\regsvr32.exe'
+ - '\spoolsv.exe'
+ - '\lsass.exe'
+ - '\smss.exe'
+ - '\csrss.exe'
+ - '\conhost.exe'
+ - '\wininit.exe'
+ - '\lsm.exe'
+ - '\winlogon.exe'
+ - '\explorer.exe'
+ - '\taskhost.exe'
+ - '\Taskmgr.exe'
+ - '\sihost.exe'
+ - '\RuntimeBroker.exe'
+ - '\smartscreen.exe'
+ - '\dllhost.exe'
+ - '\audiodg.exe'
+ - '\wlanext.exe'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\system32\\*'
- - 'C:\Windows\SysWow64\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\explorer.exe'
- - 'C:\Windows\winsxs\\*'
- - 'C:\Windows\WinSxS\\*'
- - '*\SystemRoot\System32\\*'
- - 'C:\avast! sandbox*'
+ - Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\system32\'
+ - 'C:\Windows\SysWow64\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\winsxs\'
+ - 'C:\Windows\WinSxS\'
+ - 'C:\avast! sandbox'
+ - Image|contains: '\SystemRoot\System32\'
+ - Image: 'C:\Windows\explorer.exe'
condition: selection and not filter
fields:
- ComputerName
diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml
index a10446c679f..402ff361561 100644
--- a/rules/windows/process_creation/win_task_folder_evasion.yml
+++ b/rules/windows/process_creation/win_task_folder_evasion.yml
@@ -6,7 +6,7 @@ references:
- https://twitter.com/subTee/status/1216465628946563073
- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
date: 2020/01/13
-modified: 2020/08/29
+modified: 2021/05/30
author: Sreeman
tags:
- attack.defense_evasion
@@ -17,7 +17,7 @@ tags:
- attack.t1064 # an old one
logsource:
- product: Windows
+ product: windows
detection:
selection1:
CommandLine|contains:
diff --git a/rules/windows/process_creation/win_termserv_proc_spawn.yml b/rules/windows/process_creation/win_termserv_proc_spawn.yml
index 0e476733549..f49573a1d5c 100644
--- a/rules/windows/process_creation/win_termserv_proc_spawn.yml
+++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml
@@ -18,10 +18,12 @@ logsource:
category: process_creation
detection:
selection:
- ParentCommandLine: '*\svchost.exe*termsvcs'
+ ParentCommandLine|contains|all:
+ - '\svchost.exe'
+ - 'termsvcs'
filter:
- Image: '*\rdpclip.exe'
+ Image|endswith: '\rdpclip.exe'
condition: selection and not filter
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml
new file mode 100644
index 00000000000..aa3b6307367
--- /dev/null
+++ b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml
@@ -0,0 +1,33 @@
+title: Using SettingSyncHost.exe as LOLBin
+description: Detects using SettingSyncHost.exe to run hijacked binary
+id: b2ddd389-f676-4ac4-845a-e00781a48e5f
+status: experimental
+references:
+ - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1574.008
+author: Anton Kutepov, oscd.community
+date: 2020/02/05
+modified: 2020/10/10
+level: high
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ system_utility:
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ parent_is_settingsynchost:
+ ParentCommandLine|contains|all:
+ - 'cmd.exe /c'
+ - 'RoamDiag.cmd'
+ - '-outputpath'
+ condition: not system_utility and parent_is_settingsynchost
+fields:
+ - TargetFilename
+ - Image
+falsepositives:
+ - unknown
diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml
new file mode 100644
index 00000000000..99c649aecbd
--- /dev/null
+++ b/rules/windows/process_creation/win_verclsid_runs_com.yml
@@ -0,0 +1,29 @@
+title: Verclsid.exe Runs COM Object
+id: d06be4b9-8045-428b-a567-740a26d9db25
+status: experimental
+description: Detects when verclsid.exe is used to run COM object via GUID
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml
+ - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
+ - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\verclsid.exe'
+ cmd_s:
+ CommandLine|contains: '/S'
+ cmd_c:
+ CommandLine|contains: '/C'
+ condition: image_path and cmd_c and cmd_s
+fields:
+ - CommandLine
+falsepositives:
+ - Unknown
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1218
diff --git a/rules/windows/process_creation/win_visual_basic_compiler.yml b/rules/windows/process_creation/win_visual_basic_compiler.yml
new file mode 100644
index 00000000000..3682987bf58
--- /dev/null
+++ b/rules/windows/process_creation/win_visual_basic_compiler.yml
@@ -0,0 +1,22 @@
+title: Visual Basic Command Line Compiler Usage
+id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
+status: experimental
+description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Vbc/
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+date: 2020/10/07
+tags:
+ - attack.defense_evasion
+ - attack.t1027.004
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\vbc.exe'
+ Image|endswith: '\cvtres.exe'
+ condition: selection
+falsepositives:
+ - Utilization of this tool should not be seen in enterprise environment
+level: high
diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml
index 654135a4381..06b658f9626 100644
--- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml
+++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml
@@ -9,10 +9,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*transport=dt_socket,address=*'
+ CommandLine|contains: 'transport=dt_socket,address='
exclusion:
- - CommandLine: '*address=127.0.0.1*'
- - CommandLine: '*address=localhost*'
+ - CommandLine|contains: 'address=127.0.0.1'
+ - CommandLine|contains: 'address=localhost'
condition: selection and not exclusion
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index a5d273e444f..09d43265660 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -1,12 +1,12 @@
title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
description: Detects certain command line parameters often used during reconnaissance activity via web shells
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
date: 2017/01/01
-modified: 2021/01/11
+modified: 2021/03/02
tags:
- attack.persistence
- attack.t1505.003
@@ -19,36 +19,51 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- ParentImage:
- - '*\apache*'
- - '*\tomcat*'
- - '*\w3wp.exe'
- - '*\php-cgi.exe'
- - '*\nginx.exe'
- - '*\httpd.exe'
- CommandLine:
- - '*whoami*'
- - '*net user *'
- - '*net use *'
- - '*net group *'
- - '*quser*'
- - '*ping -n *'
- - '*systeminfo'
- - '*&cd&echo*'
- - '*cd /d*' # https://www.computerhope.com/cdhlp.htm
- - '*ipconfig*'
- - '*pathping*'
- - '*tracert*'
- - '*netstat*'
- - '*schtasks*'
- - '*vssadmin*'
- - '*wevtutil*'
- - '*tasklist*'
- - '*wmic /node:*'
- - '*Test-NetConnection*'
- - '*dir \*' # remote dir: dir \\C$:\windows\temp\*.exe
- condition: selection
+ parent_is_web_server_process:
+ - ParentImage|endswith:
+ - '\w3wp.exe'
+ - '\php-cgi.exe'
+ - '\nginx.exe'
+ - '\httpd.exe'
+ - ParentImage|contains:
+ - '\apache'
+ - '\tomcat'
+ net_utility:
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains:
+ - ' user '
+ - ' use '
+ - ' group '
+ ping_utility:
+ Image|endswith: '\ping.exe'
+ CommandLine|contains: ' -n '
+ change_dir:
+ CommandLine|contains:
+ - '&cd&echo' # china chopper web shell
+ - 'cd /d ' # https://www.computerhope.com/cdhlp.htm
+ wmic_utility:
+ Image|endswith: '\wmic.exe'
+ CommandLine|contains: ' /node:'
+ misc_discovery_binaries:
+ Image|endswith:
+ - '\whoami.exe'
+ - '\systeminfo.exe'
+ - '\quser.exe'
+ - '\ipconfig.exe'
+ - '\pathping.exe'
+ - '\tracert.exe'
+ - '\netstat.exe'
+ - '\schtasks.exe'
+ - '\vssadmin.exe'
+ - '\wevtutil.exe'
+ - '\tasklist.exe'
+ misc_discovery_commands:
+ CommandLine|contains:
+ - ' Test-NetConnection '
+ - 'dir \' # remote dir: dir \\C$:\windows\temp\*.exe
+ condition: parent_is_web_server_process and (net_utility or ping_utility or change_dir or wmic_utility or misc_discovery_binaries or misc_discovery_commands)
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml
index a6004cc2266..5c9663ce7a7 100644
--- a/rules/windows/process_creation/win_webshell_recon_detection.yml
+++ b/rules/windows/process_creation/win_webshell_recon_detection.yml
@@ -16,21 +16,23 @@ logsource:
product: windows
detection:
selection:
- ParentImage|contains:
- - '*\apache*'
- - '*\tomcat*'
- - '*\w3wp.exe'
- - '*\php-cgi.exe'
- - '*\nginx.exe'
- - '*\httpd.exe'
+ - ParentImage|contains:
+ - '\apache'
+ - '\tomcat'
+ - ParentImage|endswith:
+ - '\w3wp.exe'
+ - '\php-cgi.exe'
+ - '\nginx.exe'
+ - '\httpd.exe'
+ selection2:
Image|endswith:
- - '*\cmd.exe'
+ - '\cmd.exe'
CommandLine|contains:
- - '*perl --help*'
- - '*python --help*'
- - '*wget --help*'
- - '*perl -h*'
- condition: selection
+ - 'perl --help'
+ - 'python --help'
+ - 'wget --help'
+ - 'perl -h'
+ condition: selection and selection2
fields:
- Image
- CommandLine
diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index 982cd23f8bf..197567f6ae1 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -10,18 +10,19 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\w3wp.exe'
- - '*\httpd.exe'
- - '*\nginx.exe'
- - '*\php-cgi.exe'
- - '*\tomcat.exe'
- Image:
- - '*\cmd.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\powershell.exe'
- - '*\bitsadmin.exe'
+ ParentImage|endswith:
+ - '\w3wp.exe'
+ - '\httpd.exe'
+ - '\nginx.exe'
+ - '\php-cgi.exe'
+ - '\tomcat.exe'
+ - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
+ Image|endswith:
+ - '\cmd.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\powershell.exe'
+ - '\bitsadmin.exe'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_whoami_priv.yml b/rules/windows/process_creation/win_whoami_priv.yml
new file mode 100644
index 00000000000..3cd02819c51
--- /dev/null
+++ b/rules/windows/process_creation/win_whoami_priv.yml
@@ -0,0 +1,23 @@
+title: Run Whoami Showing Privileges
+id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
+status: experimental
+description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
+references:
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
+author: Florian Roth
+date: 2021/05/05
+tags:
+ - attack.privilege_escalation
+ - attack.discovery
+ - attack.t1033
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\whoami.exe'
+ CommandLine|contains: '/priv'
+ condition: selection
+falsepositives:
+ - Administrative activity (rare lookups on current privileges)
+level: high
diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml
index 93db4c7d28a..28289134504 100644
--- a/rules/windows/process_creation/win_win10_sched_task_0day.yml
+++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml
@@ -13,7 +13,11 @@ logsource:
detection:
selection:
Image|endswith: '\schtasks.exe'
- CommandLine: '*/change*/TN*/RU*/RP*'
+ CommandLine|contains|all:
+ - '/change'
+ - '/TN'
+ - '/RU'
+ - '/RP'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml
new file mode 100644
index 00000000000..cae14f6046d
--- /dev/null
+++ b/rules/windows/process_creation/win_winword_dll_load.yml
@@ -0,0 +1,25 @@
+title: Winword.exe Loads Suspicious DLL
+id: 2621b3a6-3840-4810-ac14-a02426086171
+status: experimental
+description: Detects Winword.exe loading of custmom dll via /l cmd switch
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\winword.exe'
+ cmd:
+ CommandLine|contains: '/l'
+ condition: image_path and cmd
+fields:
+ - CommandLine
+tags:
+ - attack.defense_evasion
+ - attack.t1202
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
index ef245116887..4e8ce30d6d1 100644
--- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
+++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
@@ -1,7 +1,7 @@
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: experimental
-description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters
+description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
author: Florian Roth
date: 2019/10/11
references:
@@ -16,7 +16,7 @@ tags:
- attack.t1084 # an old one
detection:
selection:
- ParentImage: '*\EdgeTransport.exe'
+ ParentImage|endswith: '\EdgeTransport.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
index b083acfbf71..dcd52ef39b9 100644
--- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml
+++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
@@ -19,10 +19,10 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\wmiprvse.exe'
- Image:
- - '*\powershell.exe'
+ ParentImage|endswith:
+ - '\wmiprvse.exe'
+ Image|endswith:
+ - '\powershell.exe'
filter_null1:
CommandLine: 'null'
filter_null2: # some backends need the null value in a seperate expression
diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
index bf99d9eb3e3..d5a59f6e06b 100644
--- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
+++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
@@ -6,7 +6,7 @@ date: 2019/08/15
modified: 2021/02/24
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
tags:
- attack.execution
- attack.t1047
@@ -20,13 +20,18 @@ detection:
- LogonId:
- '0x3e7' # LUID 999 for SYSTEM
- 'null' # too many false positives
+ - SubjectLogonId:
+ - '0x3e7' # LUID 999 for SYSTEM
+ - 'null' # too many false positives
- User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
- Image|endswith:
- '\WmiPrvSE.exe'
- '\WerFault.exe'
- filter_null: # some backends need the null value in a seperate expression
+ filter_null1: # some backends need the null value in a seperate expression
LogonId: null
- condition: selection and not filter and not filter_null
+ filter_null2: # some backends need the null value in a seperate expression
+ SubjectLogonId: null
+ condition: selection and not filter and not filter_null1 and not filter_null2
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml
index 496138fdec6..9347f2b35a4 100644
--- a/rules/windows/process_creation/win_workflow_compiler.yml
+++ b/rules/windows/process_creation/win_workflow_compiler.yml
@@ -15,7 +15,7 @@ logsource:
product: windows
detection:
selection:
- Image: '*\Microsoft.Workflow.Compiler.exe'
+ Image|endswith: '\Microsoft.Workflow.Compiler.exe'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml
new file mode 100644
index 00000000000..4462da4e771
--- /dev/null
+++ b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml
@@ -0,0 +1,20 @@
+title: Write Protect For Storage Disabled
+id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
+description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
+status: experimental
+author: Sreeman
+date: 2021/06/11
+modified: 2021/06/11
+tags:
+ - attack.defense_evasion
+ - attack.t1562
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ CommandLine|re: '(?i).*reg add.*hklm\\system\\currentcontrolset\\control.*(storage|storagedevicepolicies).*write protection.*0.*'
+ condition: selection
+falsepositives:
+ - none observed
+level: medium
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
similarity index 91%
rename from rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
rename to rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index 0f4ec0b9213..72fbafb6201 100644
--- a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -10,10 +10,8 @@ tags:
- attack.t1006
logsource:
product: windows
- service: sysmon
+ category: raw_access_thread
detection:
- selection:
- EventID: 9
filter_1:
Device|contains: floppy
filter_2:
@@ -32,7 +30,7 @@ detection:
- '\dfsrs.exe'
- '\vds.exe'
- '\lsass.exe'
- condition: selection and not filter_1 and not filter_2
+ condition: not filter_1 and not filter_2
fields:
- ComputerName
- Image
diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
index 916d4773d04..243d2d7ec83 100755
--- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
+++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
@@ -7,7 +7,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1112
-author: megan201296
+author: megan201296, Jonhnathan Ribeiro
date: 2019/04/14
modified: 2020/09/06
logsource:
@@ -17,21 +17,26 @@ detection:
selection:
TargetObject:
- 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
- - 'HKU\\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+ TargetObject|endswith:
# covers HKU\* and HKLM..
- - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
- - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
- - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
- - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
- - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
- - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
+ - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
+ - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
+ - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
+ - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
+ - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
+ - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
+ selection2:
+ TargetObject|startswith:
+ - 'HKU\'
+ TargetObject|contains:
# HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
- - 'HKU\\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*'
+ - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
# HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
- - 'HKU\\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\\*'
+ - '_Classes\AppX3bbba44c6cae4d9695755183472171e2\'
# HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
- - 'HKU\\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*'
- condition: selection
+ - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
+ - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+ condition: selection or selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
index 80f4a823770..a8bb54d79f5 100755
--- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
+++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -1,38 +1,213 @@
title: Autorun Keys Modification
id: 17f878b8-9968-4578-b814-c4217fc5768c
-description: Detects modification of autostart extensibility point (ASEP) in registry
+description: Detects modification of autostart extensibility point (ASEP) in registry.
status: experimental
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
+ - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
+ - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
tags:
- attack.persistence
- - attack.t1060 # an old one
- attack.t1547.001
-date: 2019/10/21
-modified: 2020/09/06
-author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
+ - attack.t1060 # an old one
+date: 2019/10/25
+modified: 2020/11/04
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community
logsource:
category: registry_event
product: windows
+level: medium
detection:
- selection:
- TargetObject|contains:
- - '\software\Microsoft\Windows\CurrentVersion\Run'
- - '\software\Microsoft\Windows\CurrentVersion\RunOnce'
- - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- - '\software\Microsoft\Windows\CurrentVersion\RunServices'
- - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
- - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- - '\software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL
- - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL
- - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU
- - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU
- - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU
- - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU
- - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
- condition: selection
+ main_selection:
+ TargetObject|contains:
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
+ - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
+ - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
+ - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
+ - '\SYSTEM\Setup\CmdLine'
+ - '\Software\Microsoft\Ctf\LangBarAddin'
+ - '\Software\Microsoft\Command Processor\Autorun'
+ - '\SOFTWARE\Microsoft\Active Setup\Installed Components'
+ - '\SOFTWARE\Classes\Protocols\Handler'
+ - '\SOFTWARE\Classes\Protocols\Filter'
+ - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
+ - '\Environment\UserInitMprLogonScript'
+ - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
+ - '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
+ - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
+ - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
+ - '\Control Panel\Desktop\Scrnsave.exe'
+ session_manager_base:
+ TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
+ session_manager:
+ TargetObject|contains:
+ - '\SetupExecute'
+ - '\S0InitialCommand'
+ - '\KnownDlls'
+ - '\Execute'
+ - '\BootExecute'
+ - '\AppCertDlls'
+ current_version_base:
+ TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
+ current_version:
+ TargetObject|contains:
+ - '\ShellServiceObjectDelayLoad'
+ - '\Run'
+ - '\Policies\System\Shell'
+ - '\Policies\Explorer\Run'
+ - '\Group Policy\Scripts\Startup'
+ - '\Group Policy\Scripts\Shutdown'
+ - '\Group Policy\Scripts\Logon'
+ - '\Group Policy\Scripts\Logoff'
+ - '\Explorer\ShellServiceObjects'
+ - '\Explorer\ShellIconOverlayIdentifiers'
+ - '\Explorer\ShellExecuteHooks'
+ - '\Explorer\SharedTaskScheduler'
+ - '\Explorer\Browser Helper Objects'
+ - '\Authentication\PLAP Providers'
+ - '\Authentication\Credential Providers'
+ - '\Authentication\Credential Provider Filters'
+ nt_current_version_base:
+ TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+ nt_current_version:
+ TargetObject|contains:
+ - '\Winlogon\VmApplet'
+ - '\Winlogon\Userinit'
+ - '\Winlogon\Taskman'
+ - '\Winlogon\Shell'
+ - '\Winlogon\GpExtensions'
+ - '\Winlogon\AppSetup'
+ - '\Winlogon\AlternateShells\AvailableShells'
+ - '\Windows\IconServiceLib'
+ - '\Windows\Appinit_Dlls'
+ - '\Image File Execution Options'
+ - '\Font Drivers'
+ - '\Drivers32'
+ - '\Windows\Run'
+ - '\Windows\Load'
+ wow_current_version_base:
+ TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
+ wow_current_version:
+ TargetObject|contains:
+ - '\ShellServiceObjectDelayLoad'
+ - '\Run'
+ - '\Explorer\ShellServiceObjects'
+ - '\Explorer\ShellIconOverlayIdentifiers'
+ - '\Explorer\ShellExecuteHooks'
+ - '\Explorer\SharedTaskScheduler'
+ - '\Explorer\Browser Helper Objects'
+ wow_nt_current_version_base:
+ TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
+ wow_nt_current_version:
+ TargetObject|contains:
+ - '\Windows\Appinit_Dlls'
+ - '\Image File Execution Options'
+ - '\Drivers32'
+ wow_office:
+ TargetObject|contains: '\Software\Wow6432Node\Microsoft\Office'
+ office:
+ TargetObject|contains: '\Software\Microsoft\Office'
+ wow_office_details:
+ TargetObject|contains:
+ - '\Word\Addins'
+ - '\PowerPoint\Addins'
+ - '\Outlook\Addins'
+ - '\Onenote\Addins'
+ - '\Excel\Addins'
+ - '\Access\Addins'
+ - 'test\Special\Perf'
+ wow_ie:
+ TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer'
+ ie:
+ TargetObject|contains: '\Software\Microsoft\Internet Explorer'
+ wow_ie_details:
+ TargetObject|contains:
+ - '\Toolbar'
+ - '\Extensions'
+ - '\Explorer Bars'
+ wow_classes_base:
+ TargetObject|contains: '\Software\Wow6432Node\Classes'
+ wow_classes:
+ TargetObject|contains:
+ - '\Folder\ShellEx\ExtShellFolderViews'
+ - '\Folder\ShellEx\DragDropHandlers'
+ - '\Folder\ShellEx\ColumnHandlers'
+ - '\Directory\Shellex\DragDropHandlers'
+ - '\Directory\Shellex\CopyHookHandlers'
+ - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
+ - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
+ - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
+ - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
+ - '\AllFileSystemObjects\ShellEx\DragDropHandlers'
+ - '\ShellEx\PropertySheetHandlers'
+ - '\ShellEx\ContextMenuHandlers'
+ classes_base:
+ TargetObject|contains: '\Software\Classes'
+ classes:
+ TargetObject|contains:
+ - '\Folder\ShellEx\ExtShellFolderViews'
+ - '\Folder\ShellEx\DragDropHandlers'
+ - '\Folder\Shellex\ColumnHandlers'
+ - '\Filter'
+ - '\Exefile\Shell\Open\Command\(Default)'
+ - '\Directory\Shellex\DragDropHandlers'
+ - '\Directory\Shellex\CopyHookHandlers'
+ - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
+ - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
+ - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
+ - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
+ - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
+ - '\.exe'
+ - '\.cmd'
+ - '\ShellEx\PropertySheetHandlers'
+ - '\ShellEx\ContextMenuHandlers'
+ scripts_base:
+ TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
+ scripts:
+ TargetObject|contains:
+ - '\Startup'
+ - '\Shutdown'
+ - '\Logon'
+ - '\Logoff'
+ winsock_parameters_base:
+ TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
+ winsock_parameters:
+ TargetObject|contains:
+ - '\Protocol_Catalog9\Catalog_Entries'
+ - '\NameSpace_Catalog5\Catalog_Entries'
+ system_control_base:
+ TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
+ system_control:
+ TargetObject|contains:
+ - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
+ - '\Terminal Server\Wds\rdpwd\StartupPrograms'
+ - '\SecurityProviders\SecurityProviders'
+ - '\SafeBoot\AlternateShell'
+ - '\Print\Providers'
+ - '\Print\Monitors'
+ - '\NetworkProvider\Order'
+ - '\Lsa\Notification Packages'
+ - '\Lsa\Authentication Packages'
+ - '\BootVerificationProgram\ImagePath'
+ condition: main_selection OR
+ session_manager_base AND session_manager OR
+ current_version_base AND current_version OR
+ nt_current_version_base AND nt_current_version OR
+ wow_current_version_base AND wow_current_version OR
+ wow_nt_current_version_base AND wow_nt_current_version OR
+ (wow_office OR office) AND wow_office_details OR
+ (wow_ie OR ie) AND wow_ie_details OR
+ wow_classes_base AND wow_classes OR
+ classes_base AND classes OR
+ scripts_base AND scripts OR
+ winsock_parameters_base AND winsock_parameters OR
+ system_control_base AND system_control
+fields:
+ - SecurityID
+ - ObjectName
+ - OldValueType
+ - NewValueType
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
-level: medium
diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
new file mode 100644
index 00000000000..d20032bdabc
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
@@ -0,0 +1,29 @@
+title: UAC Bypass Via Wsreset
+id: 6ea3bf32-9680-422d-9f50-e90716b12a66
+status: experimental
+description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
+references:
+ - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
+ - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith:
+ - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
+ condition: selection
+fields:
+ - ComputerName
+ - Image
+ - EventType
+ - TargetObject
+falsepositives:
+ - unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml
index 81302dfea76..10c7f0b1740 100755
--- a/rules/windows/registry_event/sysmon_cmstp_execution.yml
+++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml
@@ -25,11 +25,6 @@ logsource:
category: registry_event
product: windows
detection:
- # Registry Object Add
- selection1:
- TargetObject: '*\cmmgr32.exe*'
- EventType: 'CreateKey'
- # Registry Object Value Set
- selection2:
- TargetObject: '*\cmmgr32.exe*'
- condition: 1 of them
+ selection:
+ TargetObject|contains: '\cmmgr32.exe'
+ condition: selection
diff --git a/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml b/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000000..9d7818cbf71
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml
@@ -0,0 +1,37 @@
+title: CobaltStrike Service Installations in Registry
+id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
+description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
+ We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
+ In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
+status: experimental
+date: 2021/06/29
+author: Wojciech Lesicki
+tags:
+ - attack.execution
+ - attack.privilege_escalation
+ - attack.lateral_movement
+ - attack.t1021.002
+ - attack.t1543.003
+ - attack.t1569.002
+references:
+ - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection1:
+ EventType: SetValue
+ TargetObject|contains: 'HKLM\System\CurrentControlSet\Services'
+ selection2:
+ Details|contains|all:
+ - 'ADMIN$'
+ - '.exe'
+ selection3:
+ Details|contains|all:
+ - '%COMSPEC%'
+ - 'start'
+ - 'powershell'
+ condition: selection1 and (selection2 or selection3)
+falsepositives:
+ - unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
index bf76b00d89a..dedf925a55a 100644
--- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
+++ b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
@@ -18,8 +18,6 @@ detection:
selection:
TargetObject:
- 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
- EventType:
- - SetValue
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/registry_event/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve-2020-1048.yml
index e5e17ef119c..8a02f889e6a 100644
--- a/rules/windows/registry_event/sysmon_cve-2020-1048.yml
+++ b/rules/windows/registry_event/sysmon_cve-2020-1048.yml
@@ -18,10 +18,6 @@ logsource:
detection:
selection:
TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
- EventType:
- - SetValue
- - DeleteValue
- - CreateValue
Details|contains:
- '.dll'
- '.exe'
diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
index c2cff481254..d8b7daf7c38 100755
--- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
+++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
@@ -19,10 +19,9 @@ logsource:
product: windows
detection:
selection:
-
- TargetObject:
- - '*\Services\DHCPServer\Parameters\CalloutDlls'
- - '*\Services\DHCPServer\Parameters\CalloutEnabled'
+ TargetObject|endswith:
+ - '\Services\DHCPServer\Parameters\CalloutDlls'
+ - '\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml b/rules/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml
new file mode 100644
index 00000000000..bbf21c9fc56
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml
@@ -0,0 +1,37 @@
+title: Disable Microsoft Office Security Features
+id: 7c637634-c95d-4bbf-b26c-a82510874b34
+description: Disable Microsoft Office Security Features by registry
+status: experimental
+date: 2021/06/08
+author: frack113
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+ - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+ - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
+
+logsource:
+ product: windows
+ category: registry_event
+ definition: key must be add to the sysmon configuration to works
+ # Sysmon
+ # \VBAWarnings
+ # \DisableInternetFilesInPV
+ # \DisableUnsafeLocationsInPV
+ # \DisableAttachementsInPV
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|contains: '\SOFTWARE\Microsoft\Office\'
+ TargetObject|endswith:
+ - VBAWarnings
+ - DisableInternetFilesInPV
+ - DisableUnsafeLocationsInPV
+ - DisableAttachementsInPV
+ Details: 'DWORD (0x00000001)'
+ condition: selection
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml
new file mode 100644
index 00000000000..07ffdf7ce3a
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml
@@ -0,0 +1,21 @@
+title: Wdigest CredGuard Registry Modification
+id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
+description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
+status: experimental
+date: 2019/08/25
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+references:
+ - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: '\IsCredGuardEnabled'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
index 59849ff884b..fd7d5d2c1e0 100755
--- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
+++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
@@ -30,7 +30,7 @@ logsource:
category: registry_event
detection:
dnsregmod:
- TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
+ TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: 1 of them
---
logsource:
@@ -38,5 +38,8 @@ logsource:
product: windows
detection:
dnsadmin:
- CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'
- condition: 1 of them
\ No newline at end of file
+ Image|endswith: '\dnscmd.exe'
+ CommandLine|contains|all:
+ - '/config'
+ - '/serverlevelplugindll'
+ condition: 1 of them
diff --git a/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml
new file mode 100644
index 00000000000..384ed94f0e6
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml
@@ -0,0 +1,25 @@
+title: Enabling COR Profiler Environment Variables
+id: ad89044a-8f49-4673-9a55-cbd88a1b374f
+description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.
+status: experimental
+date: 2020/09/10
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1574.012
+references:
+ - https://twitter.com/jamieantisocial/status/1304520651248668673
+ - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
+ - https://www.sans.org/cyber-security-summit/archives
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith:
+ - '\COR_ENABLE_PROFILING'
+ - '\COR_PROFILER'
+ condition: selection
+level: high
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml
index 6472824086c..e3f50de162f 100755
--- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml
+++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml
@@ -15,9 +15,9 @@ logsource:
category: registry_event
product: windows
detection:
- selection:
+ selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- - 'Another service that uses a single -s command line switch'
-level: critical
\ No newline at end of file
+ - Unknown
+level: critical
diff --git a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml
new file mode 100644
index 00000000000..3563a2722aa
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml
@@ -0,0 +1,22 @@
+title: HybridConnectionManager Service Installation
+id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
+description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
+status: experimental
+date: 2021/04/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.persistence
+references:
+ - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection1:
+ TargetObject|contains: '\Services\HybridConnectionManager'
+ selection2:
+ Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
+ condition: selection1 or selection2
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
index 069aaa5018d..e9ee2839a71 100644
--- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
+++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
@@ -17,9 +17,9 @@ logsource:
product: windows
detection:
create_keywords_reg:
- TargetObject: '*UserInitMprLogonScript*'
+ TargetObject|contains: 'UserInitMprLogonScript'
condition: create_keywords_reg
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
new file mode 100644
index 00000000000..8dd2cc28f92
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
@@ -0,0 +1,27 @@
+title: Path To Screensaver Binary Modified
+id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
+status: experimental
+description: Detects value modification of registry key containing path to binary used as screensaver.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
+ - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1546.002
+author: Bartlomiej Czyz @bczyz1, oscd.community
+date: 2020/10/11
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
+ filter:
+ Image|endswith:
+ - '\rundll32.exe'
+ - '\explorer.exe'
+ condition: selection and not filter
+level: medium
+falsepositives:
+ - 'Legitimate modification of screensaver.'
diff --git a/rules/windows/registry_event/sysmon_new_application_appcompat.yml b/rules/windows/registry_event/sysmon_new_application_appcompat.yml
new file mode 100644
index 00000000000..298f2660f87
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_new_application_appcompat.yml
@@ -0,0 +1,24 @@
+title: New Application in AppCompat
+id: 60936b49-fca0-4f32-993d-7415edcf9a5d
+description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1204.002
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/1
+ - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
+ condition: selection
+falsepositives:
+ - This rule is to explore new applications on an endpoint. False positives depends on the organization.
+ - Newly setup system.
+ - Legitimate installation of new application.
+level: informational
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
index 0007bb601c0..820a65f603a 100755
--- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
+++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -17,13 +17,13 @@ logsource:
product: windows
detection:
selection:
- - TargetObject:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - TargetObject|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- # key rename
- NewName:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ NewName|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
condition: selection
fields:
- EventID
diff --git a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml
index 4afc0fbc367..8eac61ee816 100644
--- a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml
+++ b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml
@@ -9,6 +9,7 @@ tags:
- attack.persistence
author: Bhabesh Raj
date: 2021/01/10
+modified: 2021/06/01
logsource:
category: registry_event
product: windows
@@ -20,7 +21,9 @@ detection:
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
- condition: selection
+ filter:
+ Image|endswith: '\msiexec.exe'
+ condition: selection and not filter
falsepositives:
- Unknown
level: high
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml
new file mode 100644
index 00000000000..a297c66800a
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml
@@ -0,0 +1,26 @@
+title: PowerShell as a Service in Registry
+id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
+description: Detects that a powershell code is written to the registry as a service.
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+modified: 2021/05/21
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1569.002
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: '\Services\'
+ TargetObject|endswith: '\ImagePath'
+ Details|contains:
+ - 'powershell'
+ - 'pwsh'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
index 3fe7d6cda44..3df09fb6257 100755
--- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
+++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
@@ -6,7 +6,7 @@ date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md
+ - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html
tags:
- attack.defense_evasion
- attack.t1112
diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
index 425c550b6b7..4a904157046 100755
--- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
+++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
@@ -11,10 +11,10 @@ logsource:
product: windows
detection:
selection_reg:
- TargetObject:
- - '*\services\TermService\Parameters\ServiceDll*'
- - '*\Control\Terminal Server\fSingleSessionPerUser*'
- - '*\Control\Terminal Server\fDenyTSConnections*'
+ TargetObject|contains:
+ - '\services\TermService\Parameters\ServiceDll'
+ - '\Control\Terminal Server\fSingleSessionPerUser'
+ - '\Control\Terminal Server\fDenyTSConnections'
condition: selection_reg
tags:
- attack.defense_evasion
diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml
index 8e538be8579..27e6957c5ac 100644
--- a/rules/windows/registry_event/sysmon_reg_office_security.yml
+++ b/rules/windows/registry_event/sysmon_reg_office_security.yml
@@ -16,14 +16,10 @@ logsource:
detection:
sec_settings:
TargetObject|endswith:
- - '*\Security\Trusted Documents\TrustRecords'
- - '*\Security\AccessVBOM'
- - '*\Security\VBAWarnings'
- EventType:
- - SetValue
- - DeleteValue
- - CreateValue
+ - '\Security\Trusted Documents\TrustRecords'
+ - '\Security\AccessVBOM'
+ - '\Security\VBAWarnings'
condition: sec_settings
falsepositives:
- Valid Macros and/or internal documents
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
index fe6b5f5a5d2..c8404f2cc14 100644
--- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
+++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
@@ -16,9 +16,6 @@ detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
Details|contains: 'MonitorProcess'
- EventType:
- - SetValue
- - CreateValue
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
index bafd3cbd2e1..66a5dc12a21 100644
--- a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
+++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
@@ -15,9 +15,6 @@ logsource:
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
- EventType:
- - SetValue
- - CreateValue
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
new file mode 100644
index 00000000000..0104e1bf454
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
@@ -0,0 +1,31 @@
+title: VBScript Payload Stored in Registry
+id: 46490193-1b22-4c29-bdd6-5bf63907216f
+description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
+status: experimental
+date: 2021/03/05
+author: Florian Roth
+references:
+ - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
+ Details|contains:
+ - 'vbscript'
+ - 'jscript'
+ - 'mshtml'
+ - 'mshtml,'
+ - 'mshtml '
+ - 'RunHTMLApplication'
+ - 'Execute('
+ - 'CreateObject'
+ - 'RegRead'
+ - 'window.close'
+ filter:
+ TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml
new file mode 100644
index 00000000000..0b955883550
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml
@@ -0,0 +1,24 @@
+title: Creation of a Local Hidden User Account by Registry
+id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
+description: Sysmon registry detection of a local hidden user account.
+status: experimental
+date: 2021/05/03
+modified: 2021/05/12
+author: Christian Burkard
+tags:
+ - attack.persistence
+ - attack.t1136.001
+references:
+ - https://twitter.com/SBousseaden/status/1387530414185664538
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\'
+ TargetObject|endswith: '$'
+ Image|endswith: "lsass.exe"
+ condition: selection
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
index 3cb36716ace..2ede1d70831 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
@@ -16,7 +16,10 @@ logsource:
detection:
selection:
EventType: 'CreateKey' # don't want DeleteKey events
- TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs'
+ TargetObject|contains|all:
+ - 'HKU\'
+ - '_Classes\CLSID\'
+ - '\TreatAs'
condition: selection
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compatibility
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
index ed0c583929d..7f4b07fc461 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -4,9 +4,9 @@ status: experimental
description: Detects potential COM object hijacking leveraging the COM Search Order
references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
-author: Maxime Thiebaut (@0xThiebaut)
+author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
date: 2020/04/14
-modified: 2020/09/06
+modified: 2021/05/01
tags:
- attack.persistence
- attack.t1038 # an old one
@@ -16,15 +16,30 @@ logsource:
product: windows
detection:
selection: # Detect new COM servers in the user hive
- TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
- filter:
- Details: # Exclude privileged directories and observed FPs
- - '%%systemroot%%\system32\\*'
- - '%%systemroot%%\SysWow64\\*'
- - '*\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll'
- - '*\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll'
- - '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll'
- condition: selection and not filter
+ TargetObject|contains|all:
+ - 'HKU\'
+ - '_Classes\CLSID\'
+ - '\InProcServer32\(Default)'
+ filter1:
+ - Details|contains: # Exclude privileged directories and observed FPs
+ - '%%systemroot%%\system32\'
+ - '%%systemroot%%\SysWow64\'
+ filterOneDrive:
+ - Details|contains: '\AppData\Local\Microsoft\OneDrive\'
+ filterOneDrive2:
+ - Details|contains:
+ - '\FileCoAuthLib64.dll'
+ - '\FileSyncShell64.dll'
+ - '\FileSyncApi64.dll'
+ filter2:
+ - Details|contains|all:
+ - '\AppData\Local\Microsoft\TeamsMeetingAddin\'
+ - '\Microsoft.Teams.AddinLoader.dll'
+ filter3:
+ - Details|contains|all:
+ - '\AppData\Roaming\Dropbox\'
+ - '\DropboxExt64.*.dll'
+ condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 )
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
level: medium
diff --git a/rules/windows/registry_event/sysmon_removal_amsi_registry_key.yml b/rules/windows/registry_event/sysmon_removal_amsi_registry_key.yml
new file mode 100644
index 00000000000..9428a3d3910
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_removal_amsi_registry_key.yml
@@ -0,0 +1,26 @@
+title: Removal Amsi Provider Reg Key
+id: 41d1058a-aea7-4952-9293-29eaaf516465
+description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection
+status: experimental
+date: 2021/06/07
+author: frack113
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+ - https://seclists.org/fulldisclosure/2020/Mar/45
+logsource:
+ product: windows
+ category: registry_event
+ definition: key must be add to the sysmon configuration to works
+detection:
+ selection:
+ EventType: DeleteKey
+ TargetObject|endswith:
+ - '{2781761E-28E0-4109-99FE-B9D127C57AFE}'
+ - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'
+ condition: selection
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml
new file mode 100644
index 00000000000..d834dcb1b06
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml
@@ -0,0 +1,26 @@
+title: Removal of Potential COM Hijacking Registry Keys
+id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
+description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities.
+status: experimental
+date: 2020/05/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/7
+ - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html
+ - https://docs.microsoft.com/en-us/windows/win32/shell/launch
+ - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
+ - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ EventType: 'DeleteKey'
+ TargetObject|endswith: '\shell\open\command'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml
new file mode 100644
index 00000000000..6e74aedb5ff
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml
@@ -0,0 +1,23 @@
+title: Run Once Task Configuration in Registry
+id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
+description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
+author: 'Avneet Singh @v3t0_, oscd.community'
+status: experimental
+date: 2020/11/15
+references:
+ - https://twitter.com/pabraeken/status/990717080805789697
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components'
+ TargetObject|endswith: '\StubPath'
+ condition: selection
+falsepositives:
+ - Legitimate modification of the registry key by legitimate program
+level: medium
diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
index 06e822d14ab..7f23a329807 100755
--- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
@@ -12,9 +12,9 @@ tags:
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
-author: Florian Roth, @twjackomo
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018/03/15
-modified: 2020/09/06
+modified: 2020/11/28
falsepositives:
- Unlikely
level: critical
@@ -23,15 +23,14 @@ logsource:
category: registry_event
product: windows
detection:
- selection_registry:
- TargetObject:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
- EventType: 'SetValue'
+ selection_registry:
+ TargetObject|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
condition: 1 of them
---
logsource:
@@ -39,13 +38,13 @@ logsource:
product: windows
detection:
selection_process:
- ParentImage:
- - '*\winlogon.exe'
- CommandLine:
- - '*cmd.exe sethc.exe *'
- - '*cmd.exe utilman.exe *'
- - '*cmd.exe osk.exe *'
- - '*cmd.exe Magnify.exe *'
- - '*cmd.exe Narrator.exe *'
- - '*cmd.exe DisplaySwitch.exe *'
+ ParentImage|endswith: '\winlogon.exe'
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains:
+ - 'sethc.exe'
+ - 'utilman.exe'
+ - 'osk.exe'
+ - 'Magnify.exe'
+ - 'Narrator.exe'
+ - 'DisplaySwitch.exe'
condition: 1 of them
diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
new file mode 100644
index 00000000000..55850ba37e6
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@@ -0,0 +1,26 @@
+title: Atbroker Registry Change
+id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
+description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs
+author: Mateusz Wydra, oscd.community
+references:
+ - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
+date: 2020/10/13
+modified: 2021/05/24
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+ - attack.persistence
+ - attack.t1547
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ creation:
+ TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
+ persistance:
+ TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
+ condition: creation or persistance
+falsepositives:
+ - Creation of non-default, legitimate AT.
+level: high
diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
index 963cbfc9219..fcc8c3b45ae 100755
--- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml
+++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
@@ -1,4 +1,4 @@
-title: Suspicious RUN Key from Download
+title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: experimental
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
@@ -16,11 +16,11 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\Downloads\\*'
- - '*\Temporary Internet Files\Content.Outlook\\*'
- - '*\Local Settings\Temporary Internet Files\\*'
- TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+ Image|contains:
+ - '\Downloads\'
+ - '\Temporary Internet Files\Content.Outlook\'
+ - '\Local Settings\Temporary Internet Files\'
+ TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
condition: selection
falsepositives:
- Software installers downloaded and used by users
diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
index e7ff3701337..d17f68a152c 100644
--- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
+++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
@@ -13,9 +13,9 @@ logsource:
product: windows
detection:
selection:
- TargetObject:
- - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
- - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
+ TargetObject|contains:
+ - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
+ - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
condition: selection
tags:
- attack.execution
diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
index 0729a320764..f8ffaeb6f6b 100644
--- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
+++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
@@ -14,8 +14,9 @@ logsource:
product: windows
detection:
selection_1:
- TargetObject|contains:
- - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+ TargetObject|contains|all:
+ - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
+ - '\NonPackaged'
selection_2:
TargetObject|contains:
- microphone
diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
index 8a84eff4c63..2c6ae5ca2fe 100755
--- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
+++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
@@ -2,7 +2,7 @@ title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: experimental
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2018/07/18
modified: 2020/09/06
references:
@@ -12,16 +12,18 @@ logsource:
product: windows
detection:
selection:
- TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- Details:
- - 'C:\Windows\Temp\\*'
- - 'C:\ProgramData\\*'
- - '*\AppData\\*'
- - 'C:\$Recycle.bin\\*'
- - 'C:\Temp\\*'
- - 'C:\Users\Public\\*'
- - 'C:\Users\Default\\*'
- condition: selection
+ TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
+ selection2:
+ - Details|startswith:
+ - 'C:\Windows\Temp\'
+ - 'C:\ProgramData\'
+ - 'C:\$Recycle.bin\'
+ - 'C:\Temp\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - Details|contains:
+ - '\AppData\'
+ condition: selection and selection2
tags:
- attack.persistence
- attack.t1060 # an old one
diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
index 309d978d827..af430e49a74 100755
--- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
+++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
@@ -16,20 +16,22 @@ logsource:
product: windows
detection:
selection:
- TargetObject:
- - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
- Details:
- - '*C:\Windows\Temp\\*'
- - '*C:\$Recycle.bin\\*'
- - '*C:\Temp\\*'
- - '*C:\Users\Public\\*'
- - '%Public%\\*'
- - '*C:\Users\Default\\*'
- - '*C:\Users\Desktop\\*'
- - 'wscript*'
- - 'cscript*'
- condition: selection
+ TargetObject|contains:
+ - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
+ - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
+ selection2:
+ - Details|contains:
+ - 'C:\Windows\Temp\'
+ - 'C:\$Recycle.bin\'
+ - 'C:\Temp\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - 'C:\Users\Desktop\'
+ - Details|startswith:
+ - '%Public%\'
+ - 'wscript'
+ - 'cscript'
+ condition: selection and selection2
fields:
- Image
falsepositives:
diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml
index 2d302e4f3dd..00e4022e6f3 100755
--- a/rules/windows/registry_event/sysmon_susp_service_installed.yml
+++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml
@@ -19,14 +19,14 @@ detection:
- 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
- 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
selection_2:
- Image|contains:
- - '*\procexp64.exe'
- - '*\procexp.exe'
- - '*\procmon64.exe'
- - '*\procmon.exe'
+ Image|endswith:
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
selection_3:
Details|contains:
- - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS'
+ - '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
condition: selection_1 and not selection_2 and not selection_3
falsepositives:
- Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
index 125d927da2f..0cd426a5b50 100755
--- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
+++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
@@ -14,9 +14,9 @@ logsource:
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
- TargetObject:
- - '*\Keyboard Layout\Preload\\*'
- - '*\Keyboard Layout\Substitutes\\*'
+ TargetObject|contains:
+ - '\Keyboard Layout\Preload\'
+ - '\Keyboard Layout\Substitutes\'
Details|contains:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
index 056d98d403a..717e6b93a3c 100755
--- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
@@ -17,7 +17,7 @@ logsource:
category: registry_event
detection:
selection1:
- TargetObject: '*\EulaAccepted'
+ TargetObject|endswith: '\EulaAccepted'
condition: 1 of them
---
logsource:
@@ -25,5 +25,5 @@ logsource:
product: windows
detection:
selection2:
- CommandLine: '* -accepteula*'
- condition: 1 of them
\ No newline at end of file
+ CommandLine|contains: ' -accepteula'
+ condition: 1 of them
diff --git a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml
new file mode 100644
index 00000000000..ea6a92f219d
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml
@@ -0,0 +1,23 @@
+title: Sysinternals SDelete Registry Keys
+id: 9841b233-8df8-4ad7-9133-b0b4402a9014
+description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
+status: experimental
+date: 2020/05/02
+modified: 2021/05/12
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
+references:
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/9
+ - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|contains: '\Software\Sysinternals\SDelete'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml
new file mode 100644
index 00000000000..03465933f54
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml
@@ -0,0 +1,21 @@
+title: New TaskCache Entry
+id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
+description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered
+tags:
+ - attack.persistence
+ - attack.t1053
+ - attack.t1053.005
+date: 2021/06/18
+references:
+ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+author: Syed Hasan (@syedhasan009)
+falsepositives:
+ - Unknown
+level: medium
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
+ condition: selection
diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
index f566bc86354..065779e19ad 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
@@ -24,7 +24,8 @@ logsource:
category: registry_event
detection:
methregistry:
- TargetObject: 'HKU\\*\mscfile\shell\open\command'
+ TargetObject|startswith: 'HKU\'
+ TargetObject|endswith: '\mscfile\shell\open\command'
condition: methregistry
---
logsource:
@@ -32,9 +33,9 @@ logsource:
product: windows
detection:
methprocess:
- ParentImage: '*\eventvwr.exe'
+ ParentImage|endswith: '\eventvwr.exe'
filterprocess:
- Image: '*\mmc.exe'
+ Image|endswith: '\mmc.exe'
condition: methprocess and not filterprocess
fields:
- CommandLine
diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
index 79063257e1a..5a91724f290 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
@@ -13,7 +13,8 @@ logsource:
detection:
selection:
# usrclass.dat is mounted on HKU\USERSID_Classes\...
- TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand'
+ TargetObject|startswith: 'HKU\'
+ TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
diff --git a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml
new file mode 100644
index 00000000000..eb48e935278
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml
@@ -0,0 +1,24 @@
+title: Volume Shadow Copy Service Keys
+id: 5aad0995-46ab-41bd-a9ff-724f41114971
+description: Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
+status: experimental
+date: 2020/10/20
+modified: 2021/06/02
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.credential_access
+ - attack.t1003.002
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
+ filter:
+ TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
+ condition: selection and not filter
+falsepositives:
+ - Other services accessing that key or sub keys
+level: high
diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml
new file mode 100644
index 00000000000..351020fc099
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml
@@ -0,0 +1,26 @@
+title: Execution DLL of Choice Using WAB.EXE
+id: fc014922-5def-4da9-a0fc-28c973f41bfb
+description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
+status: experimental
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
+ - https://twitter.com/Hexacorn/status/991447379864932352
+ - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+date: 2020/10/13
+modified: 2021/05/21
+author: oscd.community, Natalia Shornikova
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
+ filter:
+ Details: '%CommonProgramFiles%\System\wab32.dll'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
new file mode 100644
index 00000000000..6a53796b6c2
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
@@ -0,0 +1,22 @@
+title: Wdigest Enable UseLogonCredential
+id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
+description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
+status: experimental
+date: 2019/09/12
+modified: 2021/05/27
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+references:
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: 'WDigest\UseLogonCredential'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
index 25f5ef43a5d..883c5863abe 100755
--- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
@@ -5,18 +5,25 @@ references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2018/04/11
modified: 2020/09/06
-author: Karneades
+author: Karneades, Jonhnathan Ribeiro
logsource:
category: registry_event
product: windows
detection:
selection_reg1:
- TargetObject:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
- EventType: SetValue
- condition: selection_reg1
+ TargetObject|contains:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+ selection_reg2:
+ - TargetObject|contains|all:
+ - '\Image File Execution Options\'
+ - '\GlobalFlag'
+ - TargetObject|contains|all:
+ - 'SilentProcessExit\'
+ - '\ReportingMode'
+ - TargetObject|contains|all:
+ - 'SilentProcessExit\'
+ - '\MonitorProcess'
+ condition: selection_reg1 and selection_reg2
tags:
- attack.privilege_escalation
- attack.persistence
diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
new file mode 100644
index 00000000000..6cdb6cb242d
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
@@ -0,0 +1,29 @@
+title: Registry Persistence Mechanism via Windows Telemetry
+id: 73a883d0-0348-4be4-a8d8-51031c2564f8
+description: Detects persistence method using windows telemetry
+status: experimental
+date: 2020/10/16
+references:
+ - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+author: Lednyov Alexey, oscd.community
+tags:
+ - attack.persistence
+ - attack.t1053.005
+logsource:
+ category: registry_event
+ product: windows
+ definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
+detection:
+ selection:
+ TargetObject|contains|all:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
+ - '\Command'
+ Details|contains: '.exe'
+ filter:
+ Details|contains:
+ - '\system32\CompatTelRunner.exe'
+ - '\system32\DeviceCensus.exe'
+ condition: selection and not filter
+falsepositives:
+ - unknown
+level: critical
diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml
new file mode 100644
index 00000000000..4d652427709
--- /dev/null
+++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml
@@ -0,0 +1,25 @@
+title: Outlook C2 Registry Key
+id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
+status: experimental
+description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.
+references:
+ - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+author: '@ScoubiMtl'
+tags:
+ - attack.persistence
+ - attack.command_and_control
+ - attack.t1137
+ - attack.t1008
+ - attack.t1546
+date: 2021/04/05
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection_registry:
+ TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level'
+ Details|contains: '0x00000001'
+ condition: selection_registry
+falsepositives:
+ - Unlikely
+level: medium
diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml
new file mode 100644
index 00000000000..71a6dca99f9
--- /dev/null
+++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml
@@ -0,0 +1,32 @@
+title: Persistent Outlook Landing Pages
+id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
+description: Detects the manipulation of persistant URLs which could execute malicious code
+status: experimental
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+author: Tobias Michalski
+date: 2021/06/10
+tags:
+ - attack.persistence
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection1:
+ TargetObject|contains:
+ - 'Software\Microsoft\Office\'
+ - '\Outlook\Today\'
+ selectionStamp:
+ TargetObject|endswith:
+ - 'Stamp'
+ Details: DWORD (0x00000001)
+ selectionUserDefined:
+ TargetObject|endswith:
+ - 'UserDefinedUrl'
+ condition: selection1 and (selectionStamp or selectionUserDefined)
+fields:
+ - Details
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/registry_event/win_outlook_registry_webview.yml b/rules/windows/registry_event/win_outlook_registry_webview.yml
new file mode 100644
index 00000000000..7033f1c03db
--- /dev/null
+++ b/rules/windows/registry_event/win_outlook_registry_webview.yml
@@ -0,0 +1,31 @@
+title: Persistent Outlook Landing Pages
+id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
+description: Detects the manipulation of persistant URLs which can be malicious
+status: experimental
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+ - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
+author: Tobias Michalski
+date: 2021/06/09
+tags:
+ - attack.persistence
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection1:
+ TargetObject|contains:
+ - 'Software\Microsoft\Office\'
+ - 'Outlook\WebView\'
+ TargetObject|endswith: 'URL'
+ selection2:
+ TargetObject|contains:
+ - 'Calendar'
+ - 'Inbox'
+ condition: selection1 and 1 of selection2
+fields:
+ - Details
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/registry_event/win_portproxy_registry_key.yml b/rules/windows/registry_event/win_portproxy_registry_key.yml
new file mode 100644
index 00000000000..2559c62022b
--- /dev/null
+++ b/rules/windows/registry_event/win_portproxy_registry_key.yml
@@ -0,0 +1,26 @@
+title: PortProxy Registry Key
+id: a54f842a-3713-4b45-8c84-5f136fdebd3c
+status: experimental
+description: Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.
+references:
+ - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+ - https://adepts.of0x.cc/netsh-portproxy-code/
+ - https://www.dfirnotes.net/portproxy_detection/
+date: 2021/06/22
+tags:
+ - attack.lateral_movement
+ - attack.defense_evasion
+ - attack.command_and_control
+ - attack.t1090
+author: Andreas Hunkeler (@Karneades)
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection_registry:
+ TargetObject: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp'
+ condition: selection_registry
+falsepositives:
+ - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
+ - Synergy Software KVM (https://symless.com/synergy)
+level: medium
diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml
new file mode 100644
index 00000000000..6c6c6de818c
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml
@@ -0,0 +1,41 @@
+action: global
+title: Abusing Windows Telemetry For Persistence
+id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
+status: Experimental
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
+references:
+ - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+tags:
+ - attack.defense_evasion
+ - attack.persistence
+ - attack.t1112
+ - attack.t1053
+author: Sreeman
+date: 2020/09/29
+modified: 2021/06/11
+fields:
+ - EventID
+ - CommandLine
+ - TargetObject
+ - Details
+falsepositives:
+ - none
+level: high
+---
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|contains:
+ - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
+ Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
+ condition: selection
+---
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ CommandLine|re: '(?i).*schtasks.*(-|/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*'
+ condition: selection
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
new file mode 100644
index 00000000000..0eabbe2625b
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
@@ -0,0 +1,26 @@
+title: Accessing WinAPI in PowerShell for Credentials Dumping
+id: 3f07b9d1-2082-4c56-9277-613a621983cc
+description: Detects Accessing to lsass.exe by Powershell
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+modified: 2021/05/24
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID:
+ - 8
+ - 10
+ SourceImage|endswith: '\powershell.exe'
+ TargetImage|endswith: '\lsass.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml
new file mode 100644
index 00000000000..a24cddcaa27
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_config_modification.yml
@@ -0,0 +1,38 @@
+action: global
+title: Sysmon Configuration Modification
+id: 1f2b5353-573f-4880-8e33-7d04dcf97744
+description: Someone try to hide from Sysmon
+status: experimental
+author: frack113
+date: 2021/06/04
+modified: 2021/06/10
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+ - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+tags:
+ - attack.defense_evasion
+ - attack.t1564
+falsepositives:
+ - legitimate administrative action
+level: high
+---
+logsource:
+ product: windows
+ category: sysmon_status
+detection:
+ selection_stop:
+ State: Stopped
+ selection_conf:
+ message|startswith:
+ - 'Sysmon config state changed'
+ condition: selection_stop or selection_conf
+---
+logsource:
+ product: windows
+ category: sysmon_error
+detection:
+ selection_error:
+ Description|contains:
+ - 'Failed to open service configuration with error'
+ - 'Failed to connect to the driver to update configuration'
+ condition: selection_error
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
new file mode 100644
index 00000000000..9a22b547a11
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
@@ -0,0 +1,29 @@
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+id: e554f142-5cf3-4e55-ace9-a1b59e0def65
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
+status: experimental
+date: 2020/10/12
+modified: 2021/06/27
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+ - attack.t1021.003
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection_one:
+ EventID: 11
+ Image: System
+ TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
+ selection_two:
+ EventID: 7
+ Image|endswith: '\Internet Explorer\iexplore.exe'
+ ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
+ condition: selection_one or selection_two
+falsepositives:
+ - Unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml b/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml
new file mode 100644
index 00000000000..cd02807d267
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml
@@ -0,0 +1,22 @@
+title: DNS HybridConnectionManager Service Bus
+id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
+description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
+status: experimental
+date: 2021/04/12
+modified: 2021/06/10
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.persistence
+references:
+ - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+logsource:
+ product: windows
+ category: dns_query
+detection:
+ selection:
+ QueryName|contains: servicebus.windows.net
+ Image|contains: HybridConnectionManager
+ condition: selection
+falsepositives:
+ - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
+level: high
diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml
new file mode 100644
index 00000000000..085c739e931
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml
@@ -0,0 +1,47 @@
+action: global
+title: Pingback Backdoor
+id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
+status: experimental
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
+author: Bhabesh Raj
+date: 2021/05/05
+falsepositives:
+ - Very unlikely
+level: high
+references:
+ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+ - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+tags:
+ - attack.persistence
+ - attack.t1574.001
+---
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ Image|endswith: updata.exe
+ TargetFilename: 'C:\Windows\oci.dll'
+ condition: selection
+---
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection:
+ Image|endswith: 'msdtc.exe'
+ ImageLoaded: 'C:\Windows\oci.dll'
+ condition: selection
+---
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ ParentImage|endswith: 'updata.exe'
+ CommandLine|contains|all:
+ - 'config'
+ - 'msdtc'
+ - 'start'
+ - 'auto'
+ condition: selection
diff --git a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000000..b8064b87d8d
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,36 @@
+action: global
+title: Wmiprvse Wbemcomn DLL Hijack
+id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
+status: experimental
+date: 2020/10/12
+modified: 2021/06/10
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+ - attack.execution
+ - attack.t1047
+ - attack.lateral_movement
+ - attack.t1021.002
+references:
+ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+falsepositives:
+ - Unknown
+level: critical
+---
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ Image: System
+ TargetFilename|endswith: '\wbem\wbemcomn.dll'
+ condition: selection
+---
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection:
+ Image|endswith: '\wmiprvse.exe'
+ ImageLoaded|endswith: '\wbem\wbemcomn.dll'
+ condition: selection
diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml
similarity index 95%
rename from rules/windows/sysmon/sysmon_wmi_event_subscription.yml
rename to rules/windows/wmi_event/sysmon_wmi_event_subscription.yml
index df6b6e4400d..fc1bb7513f0 100644
--- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
+++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml
@@ -10,7 +10,7 @@ author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
logsource:
product: windows
- service: sysmon
+ category: wmi_event
detection:
selector:
EventID:
diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
similarity index 53%
rename from rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
rename to rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
index e1f150b77cd..bea1f3afb5b 100644
--- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
+++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
@@ -2,7 +2,7 @@ title: Suspicious Scripting in a WMI Consumer
id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
status: experimental
description: Detects suspicious scripting in WMI Event Consumers
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro
references:
- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
@@ -13,22 +13,27 @@ tags:
- attack.t1059.005
logsource:
product: windows
- service: sysmon
+ category: wmi_event
detection:
selection:
EventID: 20
- Destination:
- - '*new-object system.net.webclient).downloadstring(*'
- - '*new-object system.net.webclient).downloadfile(*'
- - '*new-object net.webclient).downloadstring(*'
- - '*new-object net.webclient).downloadfile(*'
- - '* iex(*'
- - '*WScript.shell*'
- - '* -nop *'
- - '* -noprofile *'
- - '* -decode *'
- - '* -enc *'
- condition: selection
+ selection_destination:
+ - Destination|contains|all:
+ - 'new-object'
+ - 'net.webclient'
+ - '.downloadstring'
+ - Destination|contains|all:
+ - 'new-object'
+ - 'net.webclient'
+ - '.downloadfile'
+ - Destination|contains:
+ - ' iex('
+ - 'WScript.shell'
+ - ' -nop '
+ - ' -noprofile '
+ - ' -decode '
+ - ' -enc '
+ condition: selection and selection_destination
fields:
- CommandLine
- ParentCommandLine
diff --git a/tests/test_rules.py b/tests/test_rules.py
index 160c98dfae1..9849bbdd0b7 100755
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -17,6 +17,8 @@
class TestRules(unittest.TestCase):
MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list
MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"]
+ # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules
+ TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"}
path_to_rules = "rules"
@@ -58,6 +60,19 @@ def test_confirm_extension_is_yml(self):
self.assertEqual(files_with_incorrect_extensions, [], Fore.RED +
"There are rule files with extensions other than .yml")
+ def test_legal_trademark_violations(self):
+ files_with_legal_issues = []
+
+ for file in self.yield_next_rule_file_path(self.path_to_rules):
+ with open(file, 'r') as fh:
+ file_data = fh.read()
+ for tm in self.TRADE_MARKS:
+ if tm in file_data:
+ files_with_legal_issues.append(file)
+
+ self.assertEqual(files_with_legal_issues, [], Fore.RED +
+ "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues")
+
def test_confirm_correct_mitre_tags(self):
files_with_incorrect_mitre_tags = []
@@ -357,9 +372,10 @@ def test_invalid_logsource_attributes(self):
for key in logsource:
if key.lower() not in ['category', 'product', 'service', 'definition']:
print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
+
def get_mitre_data():
"""
- Generate tags from live MITRE ATT&CK® TAXI service to get up-to-date data
+ Generate tags from live TAXI service to get up-to-date data
"""
# Get ATT&CK information
lift = attack_client()
diff --git a/tools/README.md b/tools/README.md
index 4f63c2d1dd4..3b79e6dd59c 100644
--- a/tools/README.md
+++ b/tools/README.md
@@ -346,4 +346,20 @@ tools/sigmac -t es-qs -c tools/config/winlogbeat.yml --backend-option keyword_ba
```bash
tools/sigmac -t es-qs -c tools/config/winlogbeat.yml --backend-option keyword_field=".keyword" --backend-option analyzed_sub_field_name=".security" rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
+```
+
+### Devo
+Devo backend admits several configurations that, based on the data source type, will apply a specific mapping and
+will point to the proper Devo table. The current available configurations are:
+* `devo-windows`, for windows sources
+* `devo-web`, for generic web sources (webserver, apache, proxy...)
+* `devo-network`, for generic network sources (firewall, dns...)
+
+These backend configurations will specify the Devo table to build the query upon, and the output query will reference such
+table if the rule sources matches the configuration sources.
+
+For example, in order to translate a windows-related Sigma rule, one would use:
+
+```bash
+tools/sigmac -t devo -c tools/config/devo-windows.yml rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
```
\ No newline at end of file
diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml
new file mode 100644
index 00000000000..dbdd9a215be
--- /dev/null
+++ b/tools/config/carbon-black-eedr.yml
@@ -0,0 +1,141 @@
+title: CarbonBlack Enterprise EDR
+order: 20
+backends:
+ - carbonblack
+ - cb
+fieldmappings:
+ AccountName:
+ - process_username
+ - childproc_username
+ CallingProcessName: process_name
+ CommandLine: process_cmdline
+ ComputerName: device_name
+ Company: process_publisher
+ Description:
+ - process_product_name
+ - process_product_version
+ - process_publisher
+ - process_file_description
+ DestPort:
+ - netconn_port
+ - netconn_remote_port
+ Destination:
+ - netconn_domain
+ DestinationAddress:
+ - netconn_domain
+ - netconn_ipv4
+ - netconn_ipv6
+ - netconn_remote_ipv4
+ - netconn_remote_ipv6
+ DestinationHostname:
+ - netconn_domain
+ - netconn_proxy_domain
+ DestinationIp:
+ - netconn_ipv4
+ - netconn_ipv6
+ - netconn_remote_ipv4
+ - netconn_remote_ipv6
+ DestinationPort:
+ - netconn_port
+ - netconn_remote_port
+ Device: device_name
+ FileName:
+ - process_internal_name
+ - process_name
+ - process_original_filename
+ FileVersion: process_product_version
+ Image:
+ - process_name
+ - process_internal_name
+ IntegrityLevel: process_integrity_level
+ IpAddress:
+ - netconn_ipv4
+ - netconn_ipv6
+ - netconn_local_ipv4
+ - netconn_local_ipv6
+ - netconn_remote_ipv4
+ - netconn_remote_ipv6
+ LogonId:
+ - childproc_username
+ - process_username
+ md5: hash
+ NewName: regmod_new_name
+ OriginalFileName: process_original_filename
+ ParentCommandLine: parent_cmdline
+ ParentImage: parent_name
+ ParentIntegrityLevel: process_integrity_level
+ ProcessCommandLine: process_cmdline
+ ProcessName: process_name
+ Product:
+ - process_product_name
+ - process_file_description
+ RelativeTargetName: childproc_name
+ ScriptBlockText:
+ - childproc_cmdline
+ - crossproc_cmdline
+ - process_cmdline
+ ServiceFileName: process_service_name
+ ServiceName: process_service_name
+ sha256: hash
+ Signature:
+ - childproc_publisher
+ - filemod_publisher
+ - modload_publisher
+ - parent_publisher
+ - process_publisher
+ Signed:
+ - childproc_publisher_state
+ - filemod_publisher_state
+ - modload_publisher_state
+ - parent_publisher_state
+ - process_publisher_state
+ - scriptload_publisher_state
+ SourceImage: parent_name
+ SourceNetworkAddress:
+ - netconn_local_ipv4
+ - netconn_local_ipv6
+ SourcePort:
+ - netconn_local_port
+ - netconn_port
+ SourceWorkstation: device_name
+ TargetFilename:
+ - filemod_name
+ - crossproc_name
+ TargetImage:
+ - filemod_name
+ - crossproc_name
+ TargetName:
+ - filemod_name
+ - crossproc_name
+ TargetUserName:
+ - childproc_username
+ - process_username
+ TargetObject:
+ - regmod_name
+ - regmod_new_name
+ User:
+ - childproc_username
+ - process_username
+ Value:
+ - regmod_name
+ - regmod_new_name
+ Workstation: device_name
+ WorkstationName: device_name
+
+ dst_ip:
+ - netconn_ipv4
+ - netconn_ipv6
+ - netconn_local_ipv4
+ - netconn_local_ipv6
+ - netconn_remote_ipv4
+ - netconn_remote_ipv6
+ dst_port:
+ - netconn_port
+ - netconn_remote_port
+ src_ip:
+ - netconn_ipv4
+ - netconn_ipv6
+ - netconn_local_ipv4
+ - netconn_local_ipv6
+ - netconn_remote_ipv4
+ - netconn_remote_ipv6
\ No newline at end of file
diff --git a/tools/config/carbon-black.yml b/tools/config/carbon-black.yml
index 4b7d6dd4161..aaf7ae18a12 100644
--- a/tools/config/carbon-black.yml
+++ b/tools/config/carbon-black.yml
@@ -26,7 +26,6 @@ fieldmappings:
#Signature: digsig_result
SourceIp: ipaddr
DestinationAddress: ipaddr
- DestinationPort: ipport
DestPort: ipport
TargetObject: regmod
TargetFilename: filemod
@@ -38,15 +37,11 @@ fieldmappings:
Product: product_name
Signature: digsig_publisher
CallTrace: modload
- DestinationHostname: domain
User: username
StartModule: modload
Company: company_name
- Description: file_desc
FileVersion: file_version
-
-
# DestinationHostname: hostname
# DestinationIp: ipaddr
# DestinationPort: ipport
diff --git a/tools/config/chronicle.yml b/tools/config/chronicle.yml
new file mode 100644
index 00000000000..8eea48d4aaf
--- /dev/null
+++ b/tools/config/chronicle.yml
@@ -0,0 +1,180 @@
+title: Google Chronicle field mapping
+order: 20
+backends:
+ - chronicle
+fieldmappings:
+ EventID: metadata.product_event_type
+ EventId: metadata.product_event_type
+ event_id: metadata.product_event_type
+ CommandLine: target.process.command_line
+ Commandline: target.process.command_line
+ Command: target.process.command_line
+ ComputerName: target.hostname
+ CurrentDirectory: principal.file.full_path
+ DestinationHostname: target.hostname
+ dest-domain: target.hostname
+ DestinationIp: target.ip
+ event_data.DestinationIp: target.ip
+ destinationIp: target.ip
+ dst_ip: target.ip
+ dest_ip: target.ip
+ DestinationIP: target.ip
+ DestinationIsIpv6: target.ip
+ DestinationAddress: target.ip
+ #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
+ DestinationPort: target.port
+ dst_port: target.port
+ dest_port: target.port
+ DestinationPortName: protocol
+ Details: metadata.description
+ EventType: metadata.event_type
+ type: metadata.event_type
+
+ FileName: target.file.full_path
+ OriginalFileName: target.file.full_path
+ TargetFileName: target.file.full_path
+ event_data.TargetFilename: target.file.full_path
+ file_name: target.file.full_path
+ Targetfilename: target.file.full_path
+ FilePath: target.file.full_path
+
+ Hashes: target.file.md5
+ event_data.Hashes: target.file.md5
+ Hash: target.file.md5
+ hash: target.file.md5
+ Imphash: target.file.md5
+ file_hash: target.file.md5
+ file_hash_imphash: target.file.md5
+
+ Image: target.process.file.full_path
+ event_data.Image: target.process.file.full_path
+ baseImage: src.process.file.full_path
+ ImageLoaded: target.process.file.full_path
+ ImageLoad: target.process.file.full_path
+ ImagePath: target.file.full_path
+
+ IpAddress: principal.ip
+ IpPort: principal.port
+ logonType: extensions.auth.mechanism
+ LogonType: extensions.auth.mechanism
+ ObjectValueName: target.registry.registry_value_name
+
+ ParentCommandLine: src.process.command_line
+ ParentProcessName: src.process.file.full_path
+ ServiceFileName: target.process.command_line
+ ServiceName: target.process.command_line
+ ParentImage: src.process.file.full_path
+ Path: target.file.full_path
+ PipeName: file.name
+ ProcessCommandLine: target.process.command_line
+ ProcessName: target.process.file.full_path
+ process.name: target.process.command_line
+ process.args: target.process.command_line
+ exe: target.process.file.full_path
+ TaskName: target.resource.name
+ TargetProcessAddress: target.process.file.file_metadata.pe.import_hash
+ StartAddress: target.process.file.file_metadata.pe.import_hash
+ event_data.StartAddress: target.process.file.file_metadata.pe.import_hash
+ FailureCode: security_result.description
+ Status: security_result.description
+ TicketOptions: security_result.about.labels.value
+
+ SourceHostname: principal.hostname
+ cs_host:
+ - principal.hostname
+ - target.hostname
+ Host: principal.hostname
+ SourceImage: src.process.file.full_path
+ SourceIp: principal.ip
+ SourceIP: principal.ip
+ SourceAddress: principal.ip
+ src_ip: principal.ip
+ SourceNetworkAddress: principal.ip
+ ip: principal.ip
+ SourcePort: principal.port
+ src_port: principal.port
+ SubjectDomainName: src.user.domain
+ SubjectUserName: src.user.user_display_name
+ SubjectUserSid: src.user.userid
+ TargetFilename: target.file.full_path
+ TargetImage: target.process.file.full_path
+ TargetObject: target.registry.registry_key
+ event_data.TargetObject: target.registry.registry_key
+ TargetDomainName: target.user.domain
+ TargetUserName: target.user.user_display_name
+ TargetUserSid: target.user.userid
+ SidHistory: target.process.product_specific_process_id
+ sid: target.process.product_specific_process_id
+ Sid: target.process.product_specific_process_id
+ User: src.user.user_display_name
+ domain: src.hostname
+ WorkstationName: principal.hostname
+ URL: target.url
+ url: target.url
+ http_uri: target.url
+ c_uri_query: target.url
+ query: target.url
+ c-uri-path: target.url
+ c-useragent: src.application
+ StartModule: src.application
+ UserAgent: src.application
+ User-Agent: src.application
+ http_userAgent: src.application
+ http_url_rootDomain: target.hostname
+ dns_query_name: network.dns.questions.name
+ r_dns: target.hostname
+ r-dns: target.hostname
+ Signature: target.registry.registry_value_data
+ signature: target.registry.registry_value_data
+ Value: target.registry.registry_value_data
+ TargetValue: target.registry.registry_value_data
+ ObjectName:
+ - target.registry.registry_value_data
+ - target.file.full_path
+ ScriptBlockText: target.process.command_line
+ Command_Line: target.process.command_line
+ event_data.CommandLine: target.process.command_line
+ commandLine: target.process.command_line
+ c-uri: target.url
+ cs-uri-query: target.url
+ c-uri-query: target.url
+ c_uri: target.url
+ request_url: target.url
+ cs_uri_query: target.url
+ c-uri-extension: target.url
+ resource.URL: target.url
+ web.url: target.url
+ web.payload: target.url
+ http_method: network.http.method
+ cs_method: network.http.method
+ cs-method: network.http.method
+ HttpMethod: network.http.method
+ web.method: network.http.method
+ web.status: network.http.response_code
+ application: network.http.user_agent
+ Application: network.http.user_agent
+ AccountName: src.user.user_display_name
+ objectType: src.user.user_display_name
+ ObjectType: src.user.user_display_name
+ ShareName: target.resource.name
+ RelativeTargetName: target.file.full_path
+ AccessMask: target.process.access_mask
+ Properties: target.process.file.file_metadata.pe.import_hash
+ Product: metadata.product_name
+ product: metadata.product_name
+ FileVersion: metadata.description
+ description: metadata.description
+ Description: metadata.description
+ Company: metadata.description
+ Source: src.application
+ app: src.application
+ AuthenticationPackageName: src.application
+ action: security_result.action
+ NewProcessName: target.process.command_line
+ answers: network.dns.answers.data
+ answer: network.dns.answers.data
+ sc-status: network.http.response_code
+ cs-host: target.hostname
+ eventName: metadata.description
+ destination.domain: target.hostname
+ destination: target.hostname
diff --git a/tools/config/crowdstrike.yml b/tools/config/crowdstrike.yml
index 8a90c07e437..25309412aba 100644
--- a/tools/config/crowdstrike.yml
+++ b/tools/config/crowdstrike.yml
@@ -1,4 +1,4 @@
-title: Splunk Windows log source conditions
+title: Splunk used in Falcon Portal
order: 20
backends:
- crowdstrike
diff --git a/tools/config/devo-network.yml b/tools/config/devo-network.yml
new file mode 100644
index 00000000000..a01bd186bee
--- /dev/null
+++ b/tools/config/devo-network.yml
@@ -0,0 +1,22 @@
+title: Devo sourcetype mappings for network sources
+order: 20
+backends:
+ - devo
+logsources:
+ firewall-product:
+ product: firewall
+ index: firewall.all.traffic
+ firewall-category:
+ category: firewall
+ index: firewall.all.traffic
+ dns:
+ category: dns
+ index: network.dns
+fieldmappings:
+ src_ip: srcIp
+ dst_ip: dstIp
+ dst_port: dstPort
+ parent_domain: select rootdomain(name) as parent_domain
+ record_type: type
+ answer: answers
+ query: name
\ No newline at end of file
diff --git a/tools/config/devo-web.yml b/tools/config/devo-web.yml
new file mode 100644
index 00000000000..3891aedb7fe
--- /dev/null
+++ b/tools/config/devo-web.yml
@@ -0,0 +1,29 @@
+title: Devo sourcetype mappings for web sources
+order: 20
+backends:
+ - devo
+logsources:
+ web:
+ category: webserver
+ index: web.all.access
+ proxy:
+ category: proxy
+ index: proxy.all.access
+ apache:
+ product: apache
+ index: web.all.access
+fieldmappings:
+ c-uri: url
+ c-useragent: userAgent
+ sc-status: statusCode
+ useragent: userAgent
+ cs-method: method
+ clientip: srcIp
+ uri_query: select uriquery(url) as url_query
+ r-dns: select urihost(url) as url_dns
+ cs-host: srcHost
+ c-uri-query: select uriquery(url) as url_query
+ c-uri-stem: url
+ c-uri-extension: select uripath(url) as uri_path
+ cs-uri-query: select uriquery(url) as url_query
+
diff --git a/tools/config/devo-windows.yml b/tools/config/devo-windows.yml
new file mode 100644
index 00000000000..dbda1152421
--- /dev/null
+++ b/tools/config/devo-windows.yml
@@ -0,0 +1,144 @@
+title: Devo sourcetype mappings for windows sources
+order: 20
+backends:
+ - devo
+logsources:
+ windows:
+ product: windows
+ index: box.all.win
+ windows-category-process_creation:
+ product: windows
+ category: process_creation
+ windows-service-powershell:
+ product: windows
+ service: powershell
+ windows-service-powershell-classic:
+ product: windows
+ service: powershell-classic
+ windows-service-security:
+ product: windows
+ service: security
+ windows-service-sysmon:
+ product: windows
+ service: security
+ windows-category-registry_event:
+ product: windows
+ category: registry_event
+ windows-category-process_access:
+ product: windows
+ category: process_access
+ windows-service-windefend:
+ product: windows
+ service: windefend
+ windows-service-windef:
+ product: windows
+ service: windef
+ windows_defender:
+ product: windows_defender
+ index: box.all.win
+ windows-service-taskscheduler:
+ product: windows
+ service: taskscheduler
+ windows-service-wmi:
+ product: windows
+ service: wmi
+ windows-service-system:
+ product: windows
+ service: system
+ windows-category-network_connection:
+ product: windows
+ category: network_connection
+ windows-category-image_load:
+ product: windows
+ category: image_load
+ windows-category-file_event:
+ product: windows
+ category: file_event
+ windows-category-driver_load:
+ product: windows
+ category: driver_load
+ windows-service-applocker:
+ product: windows
+ service: applocker
+ windows-service-dns-server:
+ product: windows
+ service: dns-server
+ windows-service-ntlm:
+ product: windows
+ service: ntlm
+ windows-service-driver-framework:
+ product: windows
+ service: driver-framework
+ windows-category-create_remote_thread:
+ product: windows
+ category: create_remote_thread
+ windows-category-create_stream_hash:
+ product: windows
+ category: create_stream_hash
+ windows-category-dns_query:
+ product: windows
+ category: dns_query
+ windows-category-file_delete:
+ product: windows
+ category: file_delete
+ windows-category-pipe_created:
+ product: windows
+ category: pipe_created
+ windows-category-raw_access_thread:
+ product: windows
+ category: raw_access_thread
+ windows-category-wmi_event:
+ product: windows
+ category: wmi_event
+fieldmappings:
+ EventID: eventID
+ HostName: machine
+ HostApplication: ProcessName # ???
+ Message: message
+ CommandLine: procCmdLine
+ Commandline: procCmdLine
+ ProcessCommandline: procCmdLine
+ ProcessCommandLine: procCmdLine
+ Image: serviceFileName
+ User: username
+ TaskName: category
+ TargetFilename: serviceFileName # ???
+ ServiceName: service
+ ProcessName: callerProcName
+ OriginalFilename: serviceFileName
+ OriginalFileName: serviceFileName
+ MachineName: machine
+ LogonId: subjectLogonId
+ GroupName: groupName
+ EventType: eventType
+ Description: message
+ Details: extMessage
+ ObjectName: objName
+ CreatorProcessName: parentProcessName
+ ServiceFileName: serviceFileName
+ ObjectType: objType
+ Keywords: keywords
+ SubjectLogonId: subjectLogonId
+ UserName: username
+ Status: status
+ SourceNetworkAddress: srcIp
+ AccountName: account
+ ObjectValueName: objValueName
+ LogonProcessName: procName
+ TargetUserName: targetUsername
+ WorkstationName: workstation
+ SubjectUserName: subjectUsername
+ Source: sourceName
+ Destination: dstIp
+ TargetImage: serviceFileName
+ CallingProcessName: callerProcName
+ TargetName: targetUsername
+ FileName: serviceFileName
+ TargetObject: objName
+ DestinationHostname: machine
+ DestinationIp: dstIp
+ DestinationIsIpv6: dstIp
+ ImageLoaded: serviceFileName
+ ScriptBlockText: select str(jqeval(jqcompile(".columns.data.EventData.ScriptBlockText"), jsonparse(message))) as ScriptBlockText
+ DestinationPort: select int(trim(split(split(rawMessage, "Destination Port:", 1), "&", 0))) as destinationPort / where eventID > 5100 or eventID < 5199
+
diff --git a/tools/config/ecs-dns.yml b/tools/config/ecs-dns.yml
index fddfc32eb32..aaa8e636a25 100644
--- a/tools/config/ecs-dns.yml
+++ b/tools/config/ecs-dns.yml
@@ -56,7 +56,6 @@ fieldmappings:
qclass: dns.qclass
qtype_name: dns.question.type
qtype: dns.qtype
- query: dns.question.name
#question_length: labels.dns.query_length
RA: dns.RA
rcode_name: dns.response_code
diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml
index 2aa441a1743..eabb3c52e15 100644
--- a/tools/config/ecs-proxy.yml
+++ b/tools/config/ecs-proxy.yml
@@ -37,7 +37,6 @@ fieldmappings:
c-uri-stem: url.original
c-uri: url.original
c-useragent: user_agent.original
- cs-bytes: http.request.body.bytes
cs-cookie: http.cookie
cs-host:
- url.domain
diff --git a/tools/config/ecs-zeek-elastic-beats-implementation.yml b/tools/config/ecs-zeek-elastic-beats-implementation.yml
index ac9b8a45c7a..c79b4e8927c 100644
--- a/tools/config/ecs-zeek-elastic-beats-implementation.yml
+++ b/tools/config/ecs-zeek-elastic-beats-implementation.yml
@@ -3,6 +3,7 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- elasticsearch-rule
- kibana
- kibana-ndjson
@@ -1016,4 +1017,4 @@ fieldmappings:
- host
- server_name
dest_ip: destination.ip
- dest_port: destination.port
\ No newline at end of file
+ dest_port: destination.port
diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml
index 0714d76995c..cbca160ebb5 100644
--- a/tools/config/elk-windows.yml
+++ b/tools/config/elk-windows.yml
@@ -42,4 +42,19 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ EventLog: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ EventLog: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ log_name: 'Microsoft-Windows-SmbClient/Security'
defaultindex: logstash-*
diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml
index 22c65e9b090..b609bec65be 100644
--- a/tools/config/elk-winlogbeat-sp.yml
+++ b/tools/config/elk-winlogbeat-sp.yml
@@ -42,6 +42,21 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ log_name: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ log_name: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ log_name: 'Microsoft-Windows-SmbClient/Security'
defaultindex:
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml
index 4c5925db4c8..007c2ee26c3 100644
--- a/tools/config/elk-winlogbeat.yml
+++ b/tools/config/elk-winlogbeat.yml
@@ -42,6 +42,21 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ log_name: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ log_name: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ log_name: 'Microsoft-Windows-SmbClient/Security'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml
index f504463804e..c0950266f0f 100644
--- a/tools/config/fireeye-helix.yml
+++ b/tools/config/fireeye-helix.yml
@@ -64,6 +64,24 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ index: windows
+ service: msexchange-management
+ conditions:
+ channel: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ index: windows
+ service: printservice-admin
+ conditions:
+ channel: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ index: windows
+ service: smbclient-security
+ conditions:
+ channel: 'Microsoft-Windows-SmbClient/Security'
windows-powershell:
product: windows
index: windows
diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml
index 2d650f70374..46d3c39bef1 100644
--- a/tools/config/generic/sysmon.yml
+++ b/tools/config/generic/sysmon.yml
@@ -9,6 +9,14 @@ logsources:
rewrite:
product: windows
service: sysmon
+ file_change:
+ category: file_change
+ product: windows
+ conditions:
+ EventID: 2
+ rewrite:
+ product: windows
+ service: sysmon
network_connection:
category: network_connection
product: windows
@@ -17,11 +25,69 @@ logsources:
rewrite:
product: windows
service: sysmon
- dns_query:
- category: dns_query
+ sysmon_status:
+ category: sysmon_status
product: windows
conditions:
- EventID: 22
+ EventID:
+ - 4
+ - 16
+ rewrite:
+ product: windows
+ service: sysmon
+ process_terminated:
+ category: process_termination
+ product: windows
+ conditions:
+ EventID: 5
+ rewrite:
+ product: windows
+ service: sysmon
+ driver_loaded:
+ category: driver_load
+ product: windows
+ conditions:
+ EventID: 6
+ rewrite:
+ product: windows
+ service: sysmon
+ image_loaded:
+ category: image_load
+ product: windows
+ conditions:
+ EventID: 7
+ rewrite:
+ product: windows
+ service: sysmon
+ create_remote_thread:
+ category: create_remote_thread
+ product: windows
+ conditions:
+ EventID: 8
+ rewrite:
+ product: windows
+ service: sysmon
+ raw_access_thread:
+ category: raw_access_thread
+ product: windows
+ conditions:
+ EventID: 9
+ rewrite:
+ product: windows
+ service: sysmon
+ process_access:
+ category: process_access
+ product: windows
+ conditions:
+ EventID: 10
+ rewrite:
+ product: windows
+ service: sysmon
+ file_creation:
+ category: file_event
+ product: windows
+ conditions:
+ EventID: 11
rewrite:
product: windows
service: sysmon
@@ -36,44 +102,69 @@ logsources:
rewrite:
product: windows
service: sysmon
- file_creation:
- category: file_event
+ create_stream_hash:
+ category: create_stream_hash
product: windows
conditions:
- EventID: 11
+ EventID: 15
rewrite:
product: windows
service: sysmon
- process_access:
- category: process_access
+ pipe_created:
+ category: pipe_created
product: windows
conditions:
- EventID: 10
+ EventID:
+ - 17
+ - 18
rewrite:
product: windows
service: sysmon
- image_loaded:
- category: image_load
+ wmi_event:
+ category: wmi_event
product: windows
conditions:
- EventID: 7
+ EventID:
+ - 19
+ - 20
+ - 21
rewrite:
product: windows
service: sysmon
- driver_loaded:
- category: driver_load
+ dns_query:
+ category: dns_query
product: windows
conditions:
- EventID: 6
+ EventID: 22
rewrite:
product: windows
service: sysmon
- process_terminated:
- category: process_termination
+ file_delete:
+ category: file_delete
product: windows
conditions:
- EventID: 5
+ EventID: 23
+ rewrite:
+ product: windows
+ service: sysmon
+ clipboard_capture:
+ category: clipboard_capture
+ product: windows
+ conditions:
+ EventID: 24
rewrite:
product: windows
service: sysmon
-
+ process_tampering:
+ category: process_tampering
+ product: windows
+ conditions:
+ EventID: 25
+ rewrite:
+ product: windows
+ service: sysmon
+ sysmon_error:
+ category: sysmon_error
+ product: windows
+ conditions:
+ EventID: 255
\ No newline at end of file
diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml
index 83b143c96ef..63080759e6e 100644
--- a/tools/config/generic/windows-audit.yml
+++ b/tools/config/generic/windows-audit.yml
@@ -1,4 +1,4 @@
-title: Conversion of generic process_creation rules into Security/4688
+title: Conversion for Windows Native Auditing Events
order: 10
logsources:
process_creation:
@@ -9,6 +9,18 @@ logsources:
rewrite:
product: windows
service: security
+ registry_event:
+ category: registry_event
+ product: windows
+ conditions:
+ EventID: 4657
+ OperationType:
+ - 'New registry value created'
+ - 'Existing registry value modified'
+ rewrite:
+ product: windows
+ service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
+ Details: NewValue
diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml
index 1dfb74aaad2..e02b02afb23 100644
--- a/tools/config/logpoint-windows.yml
+++ b/tools/config/logpoint-windows.yml
@@ -42,7 +42,21 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
-
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ event_source: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ event_source: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ event_source: 'Microsoft-Windows-SmbClient/Security'
fieldmappings:
EventID: event_id
FailureCode: result_code
diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml
index 317abd9f095..1d3232b90ac 100644
--- a/tools/config/logstash-windows.yml
+++ b/tools/config/logstash-windows.yml
@@ -63,4 +63,19 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ Channel: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ Channel: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ Channel: 'Microsoft-Windows-SmbClient/Security'
defaultindex: logstash-*
diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml
index e7bf8ae9c99..28727d567c4 100644
--- a/tools/config/powershell-windows-all.yml
+++ b/tools/config/powershell-windows-all.yml
@@ -69,3 +69,18 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ LogName: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ LogName: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ LogName: 'Microsoft-Windows-SmbClient/Security'
\ No newline at end of file
diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml
index e116f0cd137..dfe2cc2041c 100644
--- a/tools/config/powershell.yml
+++ b/tools/config/powershell.yml
@@ -83,3 +83,18 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ LogName: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ LogName: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ LogName: 'Microsoft-Windows-SmbClient/Security'
\ No newline at end of file
diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml
index 3c298599aff..18f065c5d73 100644
--- a/tools/config/splunk-windows.yml
+++ b/tools/config/splunk-windows.yml
@@ -79,5 +79,20 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ source: 'MSExchange Management'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ source: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ source: 'Microsoft-Windows-SmbClient/Security'
fieldmappings:
EventID: EventCode
diff --git a/tools/config/stix-custom.yml b/tools/config/stix-custom.yml
new file mode 100644
index 00000000000..c65d890741e
--- /dev/null
+++ b/tools/config/stix-custom.yml
@@ -0,0 +1,128 @@
+title: Additional STIX mapping for future use
+backends:
+ - stix
+order: 10
+fieldmappings:
+ record_type:
+ - x-dns:record_type
+ requestParameters.attribute:
+ - x-cloud:request_parameters
+ responseElements.publiclyAccessible:
+ - x-cloud:publicly_accessible
+ errorMessage:
+ - x-error:message
+ errorCode:
+ - x-error:code
+ responseElements:
+ - x-cloud:response_elements
+ requestParameters.userData:
+ - x-cloud:request_parameters
+ AccessMask:
+ - x-windows:accessmask
+ Accesses:
+ - x-windows:accesses
+ CallTrace:
+ - x-windows:calltrace
+ DestinationIsIpv6:
+ - x-windows:destisipv6
+ ErrorCode:
+ - x-error:code
+ ExtendedErrorCode:
+ - x-error:code
+ - x-error:id
+ GrantedAccess:
+ - x-windows:grantedaccess
+ GroupDomain:
+ - x-group:domain
+ GroupID:
+ - x-group:id
+ GroupName:
+ - x-group:name
+ GroupSecurityID:
+ - x-group:security_id
+ IMPHash:
+ - x-windows:imphash
+ Imphash:
+ - x-windows:imphash
+ ImageTempPath:
+ - process:binary_ref.x_temp_path
+ InitiatedConnection:
+ - x-windows:initiatedconnection
+ Initiated:
+ - x-windows:initiatedconnection
+ IntegrityLevel:
+ - x-windows:integritylevel
+ LogonType:
+ - x-windows:logontype
+ ObjectName:
+ - x-windows:objectname
+ ObjectType:
+ - x-windows:objecttype
+ PipeName:
+ - x-windows:pipename
+ QueryName:
+ - x-windows:queryname
+ QueryResults:
+ - x-windows:queryresults
+ QueryStatus:
+ - x-windows:querystatus
+ ShareName:
+ - x-windows:sharename
+ SharePath:
+ - x-windows:sharepath
+ Signature:
+ - x-windows:signature
+ SignatureStatus:
+ - x-windows:signaturestatus
+ Signed:
+ - x-windows:signed
+ SourceImageTempPath:
+ - x-windows:sourceimagetemppath
+ SourceWorkstation:
+ - x-windows:sourceworkstation
+ StartAddress:
+ - x-windows:startaddress
+ StartFunction:
+ - x-windows:startfunction
+ StartModule:
+ - x-windows:startmodule
+ TargetAccountSecurityID:
+ - x-windows:targetaccountsecurityid
+ TargetComputerDomain:
+ - x-windows:targetcomputerdomain
+ TargetComputerName:
+ - x-windows:targetcomputername
+ TargetDetails:
+ - x-windows:targetdetails
+ TargetImageName:
+ - x-windows:targetimagename
+ TargetProcessGuid:
+ - x-windows:targetprocessguid
+ TargetProcessAddress:
+ - x-windows:startaddress
+ TargetUserDomain:
+ - x-windows:targetuserdomain
+ TargetUserName:
+ - x-windows:targetusername
+ TaskName:
+ - x-windows:taskname
+ TicketEncryptionType:
+ - x-windows:ticketencryptiontype
+ event_data.PipeName:
+ - x-windows:pipename
+ event_data.ServiceFileName:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ event_data.ShareName:
+ - x-windows:sharename
+ event_data.Signature:
+ - x-windows:signature
+ event_data.SourceImage:
+ - x-windows:sourceimage
+ event_data.StartModule:
+ - x-windows:startmodule
+ event_data.TargetImage:
+ - x-windows:targetimage
+ key:
+ - x-sigma:keywords
+ sc-status:
+ - x-web:status_code
diff --git a/tools/config/stix-linux.yml b/tools/config/stix-linux.yml
deleted file mode 100644
index 3bab207251d..00000000000
--- a/tools/config/stix-linux.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: STIX for Linux Logs
-backends:
- - stix
-order: 40
-logsources:
- linux:
- product: linux
-fieldmappings:
- type:
- - x-event:action
- keywords:
- - artifact:payload_bin
- a0:
- - process:command_line
- a1:
- - process:command_line
- name:
- - file:name
- a3:
- - process:command_line
- key:
- - x-sigma:keywords
- exe:
- - file:name
- a2:
- - process:command_line
- SYSCALL:
- - x-event:action
- pam_message:
- - x-event:action
- pam_user:
- - user-account:user_id
- pam_rhost:
- - x-host:name
- USER:
- - user-account:user_id
\ No newline at end of file
diff --git a/tools/config/stix-qradar.yml b/tools/config/stix-qradar.yml
deleted file mode 100644
index cd78c1904a0..00000000000
--- a/tools/config/stix-qradar.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: STIX for QRadar
-backends:
- - stix
-order: 30
-fieldmappings:
- categoryid:
- - x-ibm-ariel:category_id
- categoryname:
- - x-ibm-ariel:category_name
- credescription:
- - x-ibm-finding:description
- Description:
- - x-ibm-finding:description
- credibility:
- - x-ibm-ariel:credibility
- crename:
- - x-ibm-finding:name
- devicetype:
- - x-ibm-ariel:device_type
- Device:
- - x-ibm-ariel:device_type
- direction:
- - x-ibm-ariel:direction
- domainid:
- - x-ibm-ariel:domain_id
- geographic:
- - x-ibm-ariel:geographic
- high_level_category_id:
- - x-ibm-ariel:high_level_category_id
- high_level_category_name:
- - x-ibm-ariel:high_level_category_name
- identityhostname:
- - x-ibm-ariel:identity_host_name
- logsourceid:
- - x-ibm-ariel:log_source_id
- logsourcename:
- - x-ibm-ariel:log_source_name
- logsourcetypename:
- - x-ibm-ariel:log_source_type_name
- magnitude:
- - x-ibm-ariel:magnitude
- qid:
- - x-ibm-ariel:qid
- qidname:
- - x-ibm-ariel:event_name
- relevance:
- - x-ibm-ariel:relevance
- rulenames:
- - x-ibm-ariel:rule_names[*]
- severity:
- - x-ibm-ariel:severity
diff --git a/tools/config/stix-shifter.yml b/tools/config/stix-shifter.yml
new file mode 100644
index 00000000000..0ad48d7f75a
--- /dev/null
+++ b/tools/config/stix-shifter.yml
@@ -0,0 +1,115 @@
+title: Custom mappings for stix-shifter project
+backends:
+ - stix
+order: 30
+fieldmappings:
+ # x-oca-event SCO
+ action:
+ - x-oca-event:action
+ operation:
+ - x-oca-event:action
+ event.category:
+ - x-oca-event:category
+ eventName:
+ - x-oca-event:action
+ eventType:
+ - x-oca-event:category
+ Description:
+ - x-oca-event:action
+ - x-ibm-finding:description
+ Event-ID:
+ - x-oca-event:code
+ EventID:
+ - x-oca-event:code
+ Event_ID:
+ - x-oca-event:code
+ event-id:
+ - x-oca-event:code
+ eventId:
+ - x-oca-event:code
+ EventType:
+ - x-oca-event:action
+ Message:
+ - x-oca-event:original
+ Details:
+ - windows-registry-key:values[*].data
+ - x-oca-event:original
+ event_id:
+ - x-oca-event:code
+ eventid:
+ - x-oca-event:code
+ type:
+ - x-oca-event:action
+ pam_message:
+ - x-oca-event:action
+
+ # x-oca-asset SCO
+ cs-host:
+ - x-oca-asset:hostname
+ - domain-name:value
+ eventSource:
+ - x-oca-asset:hostname
+ ComputerName:
+ - x-oca-asset:hostname
+ pam_rhost:
+ - x-oca-asset:hostname
+
+ # DNS network extension
+ r-dns:
+ - domain-name:value
+ - url:value
+ - network-traffic:extensions.'dns-ext'.question.domain_ref
+ query:
+ - domain-name:value
+ - url:value
+ - network-traffic:extensions.'dns-ext'.question.domain_ref
+
+ # x-ibm-finding object
+ credescription:
+ - x-ibm-finding:description
+ crename:
+ - x-ibm-finding:name
+ rulenames:
+ - x-ibm-finding:rule_names[*]
+
+ # x-qradar custom object
+ categoryid:
+ - x-qradar:category_id
+ categoryname:
+ - x-qradar:category_name
+ credibility:
+ - x-qradar:credibility
+ Device:
+ - x-qradar:device_type
+ - file:name
+ devicetype:
+ - x-qradar:device_type
+ direction:
+ - x-qradar:direction
+ domainid:
+ - x-qradar:domain_id
+ geographic:
+ - x-qradar:geographic
+ high_level_category_id:
+ - x-qradar:high_level_category_id
+ high_level_category_name:
+ - x-qradar:high_level_category_name
+ identityhostname:
+ - x-qradar:identity_host_name
+ logsourceid:
+ - x-qradar:log_source_id
+ logsourcename:
+ - x-qradar:log_source_name
+ logsourcetypename:
+ - x-qradar:log_source_type_name
+ magnitude:
+ - x-qradar:magnitude
+ qid:
+ - x-qradar:qid
+ qidname:
+ - x-qradar:event_name
+ relevance:
+ - x-qradar:relevance
+ severity:
+ - x-qradar:severity
+
diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml
deleted file mode 100644
index 6a9de243c90..00000000000
--- a/tools/config/stix-windows.yml
+++ /dev/null
@@ -1,269 +0,0 @@
-title: STIX for Windows Logs
-backends:
- - stix
-order: 40
-logsources:
- windows:
- product: windows
-fieldmappings:
- AccessMask:
- - x-windows:accessmask
- Accesses:
- - x-windows:accesses
- AccountDomain:
- - user-account:x_domain
- AccountID:
- - user-account:user_id
- AccountName:
- - user-account:account_login
- - user-account:display_name
- AccountSecurityID:
- - user-account:x_security_id
- CallTrace:
- - x-windows:calltrace
- ClientIP:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:src_ref.value
- ComputerName:
- - x-host:name
- Description:
- - x-event:action
- DestinationIsIpv6:
- - x-windows:destisipv6
- DestinationHostname:
- - network-traffic:dst_ref.value
- Device:
- - file:name
- ErrorCode:
- - x-error:code
- Event-ID:
- - x-event:id
- - x-event:code
- EventID:
- - x-event:id
- - x-event:code
- Event_ID:
- - x-event:id
- - x-event:code
- EventType:
- - x-event:action
- ExtendedErrorCode:
- - x-error:code
- - x-error:id
- FileDirectory:
- - directory:path
- FileExtension:
- - file:x_extension
- FileHash:
- - file:hashes.SHA-256
- - file:hashes.MD5
- - file:hashes.SHA-1
- FilePath:
- - file:name
- Filename:
- - file:name
- GrantedAccess:
- - x-windows:grantedaccess
- GroupDomain:
- - x-group:domain
- GroupID:
- - x-group:id
- GroupName:
- - x-group:name
- GroupSecurityID:
- - x-group:security_id
- HomeDirectory:
- - directory:path
- IMPHash:
- - x-windows:imphash
- Imphash:
- - x-windows:imphash
- Image:
- - process:image_ref.name
- ImageLoadedTempPath:
- - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path
- ImageName:
- - process:image_ref.name
- ImagePath:
- - process:image_ref.name
- ImageTempPath:
- - process:image_ref.x_temp_path
- InitiatedConnection:
- - x-windows:initiatedconnection
- Initiated:
- - x-windows:initiatedconnection
- InitiatorUserName:
- - user-account:user_id
- - user-account:account_login
- IntegrityLevel:
- - x-windows:integritylevel
- LoadedImage:
- - process:extensions.'windows-service-ext'.service_dll_refs[*].name
- LoadedImageName:
- - process:extensions.'windows-service-ext'.service_dll_refs[*].name
- LogonType:
- - x-windows:logontype
- MD5Hash:
- - file:hashes.MD5
- Message:
- - x-event:original
- NewName:
- - windows-registry-key:key
- ObjectName:
- - x-windows:objectname
- ObjectType:
- - x-windows:objecttype
- ParentCommandLine:
- - process:parent_ref.command_line
- ParentImage:
- - process:parent_ref.image_ref.name
- ParentImageName:
- - process:parent_ref.image_ref.name
- ParentProcessGuid:
- - process:parent_ref.x_guid
- ParentProcessName:
- - process:parent_ref.image_ref.name
- ParentProcessPath:
- - process:parent_ref.image_ref.name
- PipeName:
- - x-windows:pipename
- ProcessCommandLine:
- - process:command_line
- Command:
- - process:command_line
- CommandLine:
- - process:command_line
- ProcessGuid:
- - process:x_guid
- ProcessId:
- - process:pid
- ProcessName:
- - process:image_ref.name
- ProcessPath:
- - process:image_ref.name
- QueryName:
- - x-windows:queryname
- QueryResults:
- - x-windows:queryresults
- QueryStatus:
- - x-windows:querystatus
- RegistryKey:
- - windows-registry-key:key
- RegistryValueData:
- - windows-registry-key:values[*].data
- RegistryValueName:
- - windows-registry-key:values[*].name
- SAMAccountName:
- - user-account:account_login
- - user-account:display_name
- SHA1Hash:
- - file:hashes.SHA-1
- SHA256Hash:
- - file:hashes.SHA-256
- ServiceFileName:
- - process:extensions.'windows-service-ext'.service_dll_refs[*].name
- ServiceName:
- - process:extensions.'windows-service-ext'.service_name
- ShareName:
- - x-windows:sharename
- SharePath:
- - x-windows:sharepath
- Signature:
- - x-windows:signature
- SignatureStatus:
- - x-windows:signaturestatus
- Signed:
- - x-windows:signed
- SourceImage:
- - x-windows:sourceimage
- SourceImageTempPath:
- - x-windows:sourceimagetemppath
- SourceWorkstation:
- - x-windows:sourceworkstation
- StartAddress:
- - x-windows:startaddress
- StartFunction:
- - x-windows:startfunction
- StartModule:
- - x-windows:startmodule
- TargetAccountSecurityID:
- - x-windows:targetaccountsecurityid
- TargetComputerDomain:
- - x-windows:targetcomputerdomain
- TargetComputerName:
- - x-windows:targetcomputername
- TargetDetails:
- - x-windows:targetdetails
- Details:
- - windows-registry-key:values[*].data
- - x-event:original
- TargetFilename:
- - file:name
- TargetImage:
- - x-windows:targetimage
- TargetImageName:
- - x-windows:targetimagename
- TargetObject:
- - windows-registry-key:key
- TargetProcessGuid:
- - x-windows:targetprocessguid
- TargetProcessAddress:
- - x-windows:startaddress
- TargetUserDomain:
- - x-windows:targetuserdomain
- TargetUserName:
- - x-windows:targetusername
- TaskName:
- - x-windows:taskname
- TicketEncryptionType:
- - x-windows:ticketencryptiontype
- User:
- - user-account:user_id
- UserDomain:
- - user-account:x_domain
- event-id:
- - x-event:id
- eventId:
- - x-event:id
- event_data.FileName:
- - file:name
- event_data.Image:
- - process:image_ref.name
- event_data.ImageLoaded:
- - process:extensions.'windows-service-ext'.service_dll_refs[*].name
- ImageLoaded:
- - process:extensions.'windows-service-ext'.service_dll_refs[*].name
- event_data.ImagePath:
- - process:image_ref.name
- event_data.ParentCommandLine:
- - process:parent_ref.command_line
- event_data.ParentImage:
- - process:parent_ref.image_ref.name
- event_data.ParentProcessName:
- - process:parent_ref.image_ref.name
- event_data.PipeName:
- - x-windows:pipename
- event_data.ServiceFileName:
- - process:extensions.'windows-service-ext'.service_dll_refs[*].name
- event_data.ShareName:
- - x-windows:sharename
- event_data.Signature:
- - x-windows:signature
- event_data.SourceImage:
- - x-windows:sourceimage
- event_data.StartModule:
- - x-windows:startmodule
- event_data.SubjectUserName:
- - user-account:user_id
- - user-account:account_login
- event_data.TargetFilename:
- - file:name
- event_data.TargetImage:
- - x-windows:targetimage
- event_data.User:
- - user-account:user_id
- event_id:
- - x-event:id
- eventid:
- - x-event:id
\ No newline at end of file
diff --git a/tools/config/stix.yml b/tools/config/stix.yml
deleted file mode 100644
index 88b37fba080..00000000000
--- a/tools/config/stix.yml
+++ /dev/null
@@ -1,175 +0,0 @@
-title: Basic STIX
-backends:
- - stix
-order: 20
-fieldmappings:
- action:
- - x-event:action
- User:
- - user-account:user_id
- c-ip:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:src_ref.value
- cs-ip:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:src_ref.value
- destinationip:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:dst_ref.value
- destinationmac:
- - mac-addr:value
- - network-traffic:dst_ref.value
- destinationport:
- - network-traffic:dst_port
- dst_port:
- - network-traffic:dst_port
- domainname:
- - domain-name:value
- dst:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:dst_ref.value
- dst_ip:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:dst_ref.value
- endtime:
- - network-traffic:end
- event_data.DestinationIp:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:dst_ref.value
- DestinationIp:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:dst_ref.value
- event_data.DestinationPort:
- - network-traffic:dst_port
- DestinationPort:
- - network-traffic:dst_port
- destination.port:
- - network-traffic:dst_port
- event_data.SubjectUserName:
- - user-account:user_id
- event_data.User:
- - user-account:user_id
- filehash:
- - file:hashes.SHA-256
- - file:hashes.MD5
- - file:hashes.SHA-1
- filename:
- - file:name
- filepath:
- - file:parent_directory_ref
- - directory:path
- identityip:
- - ipv4-addr:value
- protocolid:
- - network-traffic:protocols[*]
- sourceip:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:src_ref.value
- sourcemac:
- - mac-addr:value
- - network-traffic:src_ref.value
- sourceport:
- - network-traffic:src_port
- SourcePort:
- - network-traffic:src_port
- src:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:src_ref.value
- src_ip:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:src_ref.value
- starttime:
- - network-traffic:start
- url:
- - url:value
- user:
- - user-account:user_id
- username:
- - user-account:user_id
- utf8_payload:
- - artifact:payload_bin
-
- # Web + Proxy mapping
- c-uri:
- - network-traffic:extensions.'http-request-ext'.request_value
- - url:value
- c-uri-query:
- - network-traffic:extensions.'http-request-ext'.request_value
- - url:value
- c-uri-stem:
- - network-traffic:extensions.'http-request-ext'.request_value
- - url:value
- keywords:
- - artifact:payload_bin
- cs-method:
- - network-traffic:extensions.'http-request-ext'.request_method
- sc-status:
- - x-web:status_code
- clientip:
- - ipv4-addr:value
- - ipv6-addr:value
- - network-traffic:src_ref.value
- c-useragent:
- - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent'
- r-dns:
- - domain-name:value
- - url:value
- - x-dns:query
- cs-host:
- - x-host:name
- - domain-name:value
- cs-cookie:
- - network-traffic:extensions.'http-request-ext'.request_header.Cookie
- query:
- - domain-name:value
- - url:value
- - x-dns:query
- record_type:
- - x-dns:record_type
- operation:
- - x-event:action
-
- # Compliance mapping
- event.category:
- - x-event:action
- host.scan.vuln_name:
- - vulnerability:name
- host.scan.vuln:
- - vulnerability:external_references[*].external_id
-
- # Cloud mapping
- eventSource:
- - x-host:name
- eventName:
- - x-event:action
- requestParameters.attribute:
- - x-cloud:request_parameters
- responseElements.publiclyAccessible:
- - x-cloud:publicly_accessible
- errorMessage:
- - x-error:message
- errorCode:
- - x-error:code
- responseElements:
- - x-cloud:response_elements
- requestParameters.userData:
- - x-cloud:request_parameters
- userIdentity.type:
- - user-account:account_login
- eventType:
- - x-event:action
- userIdentity.arn:
- - user-account:account_login
- - user-account:display_name
- responseElements.pendingModifiedValues.masterUserPassword:
- - user-account:credential
diff --git a/tools/config/stix2.0.yml b/tools/config/stix2.0.yml
new file mode 100644
index 00000000000..afe291144bc
--- /dev/null
+++ b/tools/config/stix2.0.yml
@@ -0,0 +1,284 @@
+title: Official STIX 2.0
+backends:
+ - stix
+order: 100
+fieldmappings:
+ User:
+ - user-account:user_id
+ USER:
+ - user-account:user_id
+ user:
+ - user-account:user_id
+ event_data.SubjectUserName:
+ - user-account:user_id
+ - user-account:account_login
+ c-ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ cs-ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ destinationip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ destinationmac:
+ - mac-addr:value
+ - network-traffic:dst_ref.value
+ destinationport:
+ - network-traffic:dst_port
+ dst_port:
+ - network-traffic:dst_port
+ domainname:
+ - domain-name:value
+ dst:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ dst_ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ endtime:
+ - network-traffic:end
+ event_data.DestinationIp:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ DestinationIp:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ event_data.DestinationPort:
+ - network-traffic:dst_port
+ DestinationPort:
+ - network-traffic:dst_port
+ destination.port:
+ - network-traffic:dst_port
+ filehash:
+ - file:hashes.SHA-256
+ - file:hashes.MD5
+ - file:hashes.SHA-1
+ filename:
+ - file:name
+ filepath:
+ - file:parent_directory_ref
+ - directory:path
+ identityip:
+ - ipv4-addr:value
+ protocolid:
+ - network-traffic:protocols[*]
+ sourceip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ sourcemac:
+ - mac-addr:value
+ - network-traffic:src_ref.value
+ sourceport:
+ - network-traffic:src_port
+ SourcePort:
+ - network-traffic:src_port
+ src:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ src_ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ starttime:
+ - network-traffic:start
+ url:
+ - url:value
+ username:
+ - user-account:user_id
+ utf8_payload:
+ - artifact:payload_bin
+
+ # Web + Proxy mapping
+ c-uri:
+ - network-traffic:extensions.'http-request-ext'.request_value
+ - url:value
+ c-uri-query:
+ - network-traffic:extensions.'http-request-ext'.request_value
+ - url:value
+ c-uri-stem:
+ - network-traffic:extensions.'http-request-ext'.request_value
+ - url:value
+ keywords:
+ - artifact:payload_bin
+ cs-method:
+ - network-traffic:extensions.'http-request-ext'.request_method
+ clientip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ c-useragent:
+ - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent'
+ r-dns:
+ - domain-name:value
+ - url:value
+ cs-host:
+ - domain-name:value
+ cs-cookie:
+ - network-traffic:extensions.'http-request-ext'.request_header.Cookie
+ query:
+ - domain-name:value
+ - url:value
+
+ # Compliance mapping
+ host.scan.vuln_name:
+ - vulnerability:name
+ host.scan.vuln:
+ - vulnerability:external_references[*].external_id
+
+ # Cloud mapping
+ userIdentity.type:
+ - user-account:account_login
+ userIdentity.arn:
+ - user-account:account_login
+ - user-account:display_name
+ responseElements.pendingModifiedValues.masterUserPassword:
+ - user-account:credential
+ AccountDomain:
+ - user-account:x_domain
+ AccountID:
+ - user-account:user_id
+ AccountName:
+ - user-account:account_login
+ - user-account:display_name
+ AccountSecurityID:
+ - user-account:x_security_id
+ ClientIP:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ DestinationHostname:
+ - network-traffic:dst_ref.value
+ Device:
+ - file:name
+ FileDirectory:
+ - directory:path
+ FileExtension:
+ - file:x_extension
+ FileHash:
+ - file:hashes.SHA-256
+ - file:hashes.MD5
+ - file:hashes.SHA-1
+ FilePath:
+ - file:name
+ Filename:
+ - file:name
+ HomeDirectory:
+ - directory:path
+ Image:
+ - process:binary_ref.name
+ ImageLoadedTempPath:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path
+ ImageName:
+ - process:binary_ref.name
+ ImagePath:
+ - process:binary_ref.parent_directory_ref.path.name
+ SourceImage:
+ - process:binary_ref.name
+ InitiatorUserName:
+ - user-account:user_id
+ - user-account:account_login
+ LoadedImage:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ LoadedImageName:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ MD5Hash:
+ - file:hashes.MD5
+ NewName:
+ - windows-registry-key:key
+ ParentCommandLine:
+ - process:parent_ref.command_line
+ ParentImage:
+ - process:parent_ref.binary_ref.name
+ ParentImageName:
+ - process:parent_ref.binary_ref.name
+ ParentProcessGuid:
+ - process:parent_ref.x_guid
+ ParentProcessName:
+ - process:parent_ref.binary_ref.name
+ ParentProcessPath:
+ - process:parent_ref.binary_ref.name
+ ProcessCommandLine:
+ - process:command_line
+ Command:
+ - process:command_line
+ CommandLine:
+ - process:command_line
+ ProcessGuid:
+ - process:x_guid
+ ProcessId:
+ - process:pid
+ ProcessName:
+ - process:binary_ref.name
+ ProcessPath:
+ - process:binary_ref.parent_directory_ref.path
+ RegistryKey:
+ - windows-registry-key:key
+ RegistryValueData:
+ - windows-registry-key:values[*].data
+ RegistryValueName:
+ - windows-registry-key:values[*].name
+ SAMAccountName:
+ - user-account:account_login
+ - user-account:display_name
+ SHA1Hash:
+ - file:hashes.SHA-1
+ SHA256Hash:
+ - file:hashes.SHA-256
+ ServiceFileName:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ ServiceName:
+ - process:extensions.'windows-service-ext'.service_name
+ Details:
+ - windows-registry-key:values[*].data
+ TargetFilename:
+ - file:name
+ TargetImage:
+ - process:binary_ref.name
+ TargetObject:
+ - windows-registry-key:key
+ UserDomain:
+ - user-account:x_domain
+ event_data.FileName:
+ - file:name
+ event_data.Image:
+ - process:binary_ref.name
+ event_data.ImageLoaded:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ ImageLoaded:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ event_data.ImagePath:
+ - process:binary_ref.parent_directory_ref.path
+ event_data.ParentCommandLine:
+ - process:parent_ref.command_line
+ event_data.ParentImage:
+ - process:parent_ref.binary_ref.name
+ event_data.ParentProcessName:
+ - process:parent_ref.binary_ref.name
+ event_data.TargetFilename:
+ - file:name
+ event_data.User:
+ - user-account:user_id
+ a0:
+ - process:command_line
+ a1:
+ - process:command_line
+ name:
+ - file:name
+ a3:
+ - process:command_line
+ exe:
+ - file:name
+ a2:
+ - process:command_line
+ pam_user:
+ - user-account:user_id
diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml
index a26d000f851..285ef0273ce 100644
--- a/tools/config/sumologic.yml
+++ b/tools/config/sumologic.yml
@@ -71,6 +71,21 @@ logsources:
service: ntlm
conditions:
EventChannel: 'Microsoft-Windows-NTLM/Operational'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ EventChannel: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ EventChannel: 'Microsoft-Windows-SmbClient/Security'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ EventChannel: 'MSExchange Management'
apache:
product: apache
service: apache
diff --git a/tools/config/thor.yml b/tools/config/thor.yml
index 3e67dcf5a84..394839ec53c 100644
--- a/tools/config/thor.yml
+++ b/tools/config/thor.yml
@@ -25,80 +25,214 @@ logsources:
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
+ network_connection:
+ category: network_connection
+ product: windows
+ conditions:
+ EventID: 3
+ rewrite:
+ product: windows
+ service: sysmon
+ process_terminated:
+ category: process_termination
+ product: windows
+ conditions:
+ EventID: 5
+ rewrite:
+ product: windows
+ service: sysmon
+ driver_loaded:
+ category: driver_load
+ product: windows
+ conditions:
+ EventID: 6
+ rewrite:
+ product: windows
+ service: sysmon
+ image_loaded:
+ category: image_load
+ product: windows
+ conditions:
+ EventID: 7
+ rewrite:
+ product: windows
+ service: sysmon
+ create_remote_thread:
+ category: create_remote_thread
+ product: windows
+ conditions:
+ EventID: 8
+ rewrite:
+ product: windows
+ service: sysmon
+ raw_access_thread:
+ category: raw_access_thread
+ product: windows
+ conditions:
+ EventID: 9
+ rewrite:
+ product: windows
+ service: sysmon
+ process_access:
+ category: process_access
+ product: windows
+ conditions:
+ EventID: 10
+ rewrite:
+ product: windows
+ service: sysmon
+ file_creation:
+ category: file_event
+ product: windows
+ conditions:
+ EventID: 11
+ rewrite:
+ product: windows
+ service: sysmon
+ registry_event:
+ category: registry_event
+ product: windows
+ conditions:
+ EventID:
+ - 12
+ - 13
+ - 14
+ rewrite:
+ product: windows
+ service: sysmon
+ create_stream_hash:
+ category: create_stream_hash
+ product: windows
+ conditions:
+ EventID: 15
+ rewrite:
+ product: windows
+ service: sysmon
+ pipe_created:
+ category: pipe_created
+ product: windows
+ conditions:
+ EventID:
+ - 17
+ - 18
+ rewrite:
+ product: windows
+ service: sysmon
+ wmi_event:
+ category: wmi_event
+ product: windows
+ conditions:
+ EventID:
+ - 19
+ - 20
+ - 21
+ rewrite:
+ product: windows
+ service: sysmon
+ dns_query:
+ category: dns_query
+ product: windows
+ conditions:
+ EventID: 22
+ rewrite:
+ product: windows
+ service: sysmon
+ file_delete:
+ category: file_delete
+ product: windows
+ conditions:
+ EventID: 23
+ rewrite:
+ product: windows
+ service: sysmon
# target system configurations
windows-application:
product: windows
service: application
sources:
- - 'WinEventLog:Application'
+ - "WinEventLog:Application"
windows-security:
product: windows
service: security
sources:
- - 'WinEventLog:Security'
+ - "WinEventLog:Security"
windows-system:
product: windows
service: system
sources:
- - 'WinEventLog:System'
+ - "WinEventLog:System"
windows-ntlm:
product: windows
service: ntlm
sources:
- - 'WinEventLog:Microsoft-Windows-NTLM/Operational'
+ - "WinEventLog:Microsoft-Windows-NTLM/Operational"
windows-sysmon:
product: windows
service: sysmon
sources:
- - 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
+ - "WinEventLog:Microsoft-Windows-Sysmon/Operational"
windows-powershell:
product: windows
service: powershell
sources:
- - 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
+ - "WinEventLog:Microsoft-Windows-PowerShell/Operational"
windows-taskscheduler:
product: windows
service: taskscheduler
sources:
- - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
+ - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
windows-wmi:
product: windows
service: wmi
sources:
- - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
+ - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
windows-dhcp:
product: windows
service: dhcp
sources:
- - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
+ - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ sources:
+ - "WinEventLog:Microsoft-Windows-PrintService/Admin"
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ sources:
+ - "Microsoft-Windows-SmbClient/Security"
windows-applocker:
product: windows
service: applocker
- conditions:
- sources:
- - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
+ sources:
+ - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
+ - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ sources:
+ - 'WinEventLog:MSExchange Management'
apache:
category: webserver
sources:
- - 'File:/var/log/apache/*.log'
- - 'File:/var/log/apache2/*.log'
- - 'File:/var/log/httpd/*.log'
+ - "File:/var/log/apache/*.log"
+ - "File:/var/log/apache2/*.log"
+ - "File:/var/log/httpd/*.log"
linux-auth:
product: linux
service: auth
sources:
- - 'File:/var/log/auth.log'
- - 'File:/var/log/auth.log.?'
+ - "File:/var/log/auth.log"
+ - "File:/var/log/auth.log.?"
linux-syslog:
product: linux
service: syslog
sources:
- - 'File:/var/log/syslog'
- - 'File:/var/log/syslog.?'
+ - "File:/var/log/syslog"
+ - "File:/var/log/syslog.?"
logfiles:
category: logfile
sources:
- - 'File:*.log'
+ - "File:*.log"
diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 2ea60e4c677..a066280d5fb 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -4,6 +4,8 @@ backends:
- es-qs
- es-dsl
- es-rule
+ - es-rule-eql
+ - es-eql
- kibana
- kibana-ndjson
- xpack-watcher
@@ -25,11 +27,26 @@ logsources:
service: security
conditions:
winlog.channel: Security
+ windows-system:
+ product: windows
+ service: system
+ conditions:
+ winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
+ windows-powershell:
+ product: windows
+ service: powershell
+ conditions:
+ winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
+ windows-classicpowershell:
+ product: windows
+ service: powershell-classic
+ conditions:
+ winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
@@ -55,6 +72,16 @@ logsources:
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ winlog.channel: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
@@ -64,6 +91,11 @@ logsources:
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+ windows-msexchange-management:
+ product: windows
+ service: msexchange-management
+ conditions:
+ winlog.channel: 'MSExchange Management'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
@@ -79,7 +111,7 @@ fieldmappings:
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
Channel: winlog.channel
- CommandLine: process.args
+ CommandLine: process.command_line
ComputerName: winlog.ComputerName
CurrentDirectory: process.working_directory
Description: winlog.event_data.Description
@@ -120,15 +152,17 @@ fieldmappings:
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
- ParentCommandLine: process.parent.args
+ ParentCommandLine: process.parent.command_line
ParentProcessName: process.parent.name
ParentImage: process.parent.executable
Path: winlog.event_data.Path
PipeName: file.name
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: process.executable
+ Product: winlog.event_data.Product
Properties: winlog.event_data.Properties
RuleName: winlog.event_data.RuleName
+ ScriptBlockText: powershell.file.script_block_text
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
@@ -143,6 +177,7 @@ fieldmappings:
src_port: source.port
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
StartModule: winlog.event_data.StartModule
+ State: winlog.event_data.State
Status: winlog.event_data.Status
SubjectDomainName: user.domain
SubjectUserName: user.name
@@ -170,3 +205,12 @@ fieldmappings:
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID
+ # powershell
+ SequenceNumber: event.sequence
+ NewEngineState: powershell.engine.new_state
+ PreviousEngineState: powershell.engine.previous_state
+ NewProviderState: powershell.provider.new_state
+ ProviderName: powershell.provider.name
+ HostId: process.entity_id
+ HostApplication: process.command_line
+ HostName: process.title
\ No newline at end of file
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index 8f88f05cbfe..be68b31938f 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -24,11 +24,26 @@ logsources:
service: security
conditions:
log_name: Security
+ windows-system:
+ product: windows
+ service: system
+ conditions:
+ winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
+ windows-powershell:
+ product: windows
+ service: powershell
+ conditions:
+ winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
+ windows-classicpowershell:
+ product: windows
+ service: powershell-classic
+ conditions:
+ winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
@@ -117,7 +132,9 @@ fieldmappings:
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
+ Product: event_data.Product
Properties: event_data.Properties
+ ScriptBlockText: winlog.event_data.ScriptBlockText
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 87e26ce82af..3cb86cc88dc 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -24,11 +24,26 @@ logsources:
service: security
conditions:
winlog.channel: Security
+ windows-system:
+ product: windows
+ service: system
+ conditions:
+ winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
+ windows-powershell:
+ product: windows
+ service: powershell
+ conditions:
+ winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
+ windows-classicpowershell:
+ product: windows
+ service: powershell-classic
+ conditions:
+ winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
@@ -54,6 +69,16 @@ logsources:
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
+ windows-printservice-admin:
+ product: windows
+ service: printservice-admin
+ conditions:
+ winlog.channel: 'Microsoft-Windows-PrintService/Admin'
+ windows-smbclient-security:
+ product: windows
+ service: smbclient-security
+ conditions:
+ winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
@@ -70,6 +95,7 @@ defaultindex: winlogbeat-*
fieldmappings:
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
+ AccessList: winlog.event_data.AccessList
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
@@ -120,8 +146,11 @@ fieldmappings:
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
+ Product: winlog.event_data.Product
Properties: winlog.event_data.Properties
RuleName: winlog.event_data.RuleName
+ SAMAccountName: winlog.event_data.SamAccountName
+ ScriptBlockText: winlog.event_data.ScriptBlockText
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
diff --git a/tools/requirements-devel.txt b/tools/requirements-devel.txt
deleted file mode 100644
index 3665b6ee49f..00000000000
--- a/tools/requirements-devel.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-coverage~=5.0
-yamllint~=1.21
-elasticsearch~=7.6
-elasticsearch-async~=6.2
-setuptools
-wheel
-pytest~=5.4
-colorama
-stix2
-attackcti
\ No newline at end of file
diff --git a/tools/requirements.txt b/tools/requirements.txt
deleted file mode 100644
index 3debba0b4d4..00000000000
--- a/tools/requirements.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-pyyaml>=4.2b1
-requests~=2.23
-urllib3~=1.25
-progressbar2~=3.47
-pymisp~=2.4.123
diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py
index 1ef7e175af9..e9901e06d5f 100644
--- a/tools/sigma/backends/base.py
+++ b/tools/sigma/backends/base.py
@@ -114,6 +114,8 @@ def __init__(self, sigmaconfig, backend_options=dict()):
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
+ if len(sigmaparser.condparsed) > 1:
+ raise NotImplementedError("Base backend doesn't support multiple conditions")
for parsed in sigmaparser.condparsed:
query = self.generateQuery(parsed)
before = self.generateBefore(parsed)
diff --git a/tools/sigma/backends/chronicle.py b/tools/sigma/backends/chronicle.py
new file mode 100644
index 00000000000..c1516ad6565
--- /dev/null
+++ b/tools/sigma/backends/chronicle.py
@@ -0,0 +1,192 @@
+import re
+from datetime import datetime
+
+import sigma
+from sigma.backends.base import SingleTextQueryBackend
+from sigma.backends.mixins import MultiRuleOutputMixin
+
+from .exceptions import NotSupportedError
+from ..parser.condition import SigmaAggregationParser
+from ..parser.modifiers.base import SigmaTypeModifier
+from ..parser.modifiers.transform import SigmaContainsModifier, SigmaStartswithModifier, SigmaEndswithModifier
+from ..parser.modifiers.type import SigmaRegularExpressionModifier
+
+comparative = ["greater_than",
+ "greater_equal",
+ "less_than",
+ "less_equal",
+ ]
+
+class ChronicleBackend(SingleTextQueryBackend):
+ """Converts Sigma rule into Google Chronicle YARA-L. Contributed by SOC Prime. https://socprime.com"""
+ identifier = "chronicle"
+ active = True
+ andToken = " and "
+ #\\\
+ reEscape = re.compile('([\"]|(\\\\))')
+ reClear = re.compile('`')
+
+ orToken = " or "
+ notToken = "not "
+ subExpression = "(%s)"
+ valueExpression = "\"%s\""
+ mapExpression = "%s = %s"
+ listExpression = "(%s)"
+ listSeparator = " or "
+ config_required = True
+ mapListsSpecialHandling = True
+
+ def __init__(self, *args, **kwargs):
+ self.defaultEventName = "event"
+ self.condition_name = None
+ self.parsed_detection = None
+ self.author = None
+ self.description = None
+ self.created = None
+ self.title = None
+ self.references = None
+ self.rule_count = 0
+ return super().__init__(*args, **kwargs)
+
+ def cleanValue(self, val):
+ if val and isinstance(val, str) and val.endswith("/"):
+ val = val.rstrip("/")
+ if val and isinstance(val, str) and val.startswith("\\"):
+ val = val.lstrip("\\")
+ return super().cleanValue(val)
+
+ def parseTitle(self, title):
+ new_title = re.sub(re.compile('[()*:;+!,\[\].?"-/]'), "", title.lower())
+ new_title = re.sub(re.compile('\s'), "_", new_title.lower())
+ index = 0
+ for i, title_char in enumerate(new_title):
+ if not title_char.isdigit():
+ index = i
+ break
+ new_title = new_title[index:]
+ new_title = new_title.strip("_")
+ return new_title
+
+ def generateMapItemNode(self, node):
+ fieldname, value = node
+
+ transformed_fieldname = self.fieldNameMapping(fieldname, value)
+ if type(value) in (str, int):
+ return self.regex_check(transformed_fieldname=transformed_fieldname, val=value)
+ elif type(value) == list:
+ return self.generateMapItemListNode(transformed_fieldname, value)
+ elif isinstance(value, SigmaTypeModifier):
+ return self.generateMapItemTypedNode(transformed_fieldname, value)
+ elif value is None:
+ return self.nullExpression % (transformed_fieldname, )
+ else:
+ raise TypeError("Backend does not support map values of type " + str(type(value)))
+
+ def createFinalRule(self, body):
+ # Spaces required in rule for structure
+ function_name = self.parseTitle(self.title)
+ if self.rule_count != 0:
+ function_name += "_part_{}".format(self.rule_count)
+
+ meta = """ meta:\n author = \"{author}\"\n description = \"{description}\"\n reference = \"{reference}\"\n version = \"0.01\"""".format(
+ author=self.author, description=self.description, reference=""
+ )
+ if self.created:
+ meta += "\n created = \"{}\"".format(self.created)
+ if any(self.logsource):
+ logsources = "\n ".join([f'{i} = "{j}"' for i, j in self.logsource.items() if i not in ("description", "definition")])
+ meta += "\n {}".format(logsources)
+ if self.tags:
+ tags = ", ".join([item.replace("attack.", "") for item in self.tags])
+ meta += "\n mitre = \"{}\"".format(tags)
+ condition_func = """ condition:\n {condition}""".format(condition=self.condition)
+ result = """rule {function_name} {{\n{meta}\n\n events:\n{function}\n\n{condition}\n}}""".format(
+ function_name=function_name,
+ meta=meta,
+ function=body,
+ condition=condition_func
+ )
+ self.rule_count += 1
+ return result
+
+ def fieldNameMapping(self, fieldname, value):
+ return f"${self.condition_name}.{fieldname}"
+
+ def regex_check(self, transformed_fieldname, val):
+ if val and isinstance(val, str) and '*' in val:
+ val = val.replace("\*", "*")
+ val = self.cleanValue(val)
+ val = val.replace("(", "\(")
+ val = val.replace(")", "\)")
+ val = re.compile(r'([+.?])').sub("\\\\\g<1>", val)
+ val = val.replace("*", ".*")
+ return f"re.regex({transformed_fieldname}, `{val}`)"
+ if val and isinstance(val, str):
+ return self.mapExpression % (transformed_fieldname, self.generateNode(val))
+ else:
+ return self.mapExpression % (transformed_fieldname, self.generateNode(val))
+
+ def generateMapItemListNode(self, fieldname, value):
+ list_query = []
+ for item in value:
+ updated_field_value = self.regex_check(transformed_fieldname=fieldname, val=item)
+ list_query.append(updated_field_value)
+ if len(list_query) > 1:
+ return "(" + " or ".join(list_query) + ")"
+ return list_query[0]
+
+ def generate(self, sigmaparser):
+ detection = sigmaparser.parsedyaml.get("detection")
+ condition_name = [item for item in detection.keys() if item not in ("condition", "keywords")]
+ if any(condition_name):
+ self.condition_name = condition_name[0]
+ else:
+ self.condition_name = "event"
+ self.author = sigmaparser.parsedyaml.get("author")
+ self.title = sigmaparser.parsedyaml.get("title")
+ description = "{} Author: {}.".format(sigmaparser.parsedyaml.get("description"), self.author)
+ description = description.replace("\\", "\\\\")
+ description = description.replace("\n", "")
+ self.description = description.replace('"', '\\"')
+ self.created = sigmaparser.parsedyaml.get("date", datetime.now().strftime("%Y-%m-%d"))
+ references = sigmaparser.parsedyaml.get("reference", [])
+ if not any(references):
+ references = sigmaparser.parsedyaml.get("references", [])
+ self.references = references
+ self.logsource = sigmaparser.parsedyaml.get("logsource") if sigmaparser.parsedyaml.get("logsource") else sigmaparser.parsedyaml.get("logsources", {})
+ self.tags = sigmaparser.parsedyaml.get("tags")
+ for parsed in sigmaparser.condparsed:
+ aggregation = None
+ translate = self.generateQuery(parsed)
+ self.condition = "${}".format(self.condition_name)
+ if parsed.parsedAgg:
+ translate = self.generateAggregation(agg=parsed.parsedAgg, body=translate)
+ return self.createFinalRule(body=translate)
+
+ def generateQuery(self, parsed):
+ result = self.generateNode(parsed.parsedSearch)
+ return result
+
+ def generateAggregation(self, agg, body):
+ if agg is None:
+ return ""
+ if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR:
+ raise NotImplementedError(
+ "The 'near' aggregation operator is not "
+ + f"implemented for the %s backend" % self.identifier
+ )
+ if agg.aggfunc_notrans != 'count' and agg.aggfield is None:
+ raise NotSupportedError(
+ "The '%s' aggregation operator " % agg.aggfunc_notrans
+ + "must have an aggregation field for the %s backend" % self.identifier
+ )
+ if agg.aggfunc_notrans == 'count':
+ if agg.groupfield:
+ self.condition = "${condition} and #target {op} {cond}".format(condition=self.condition_name,
+ field=agg.groupfield,
+ op=agg.cond_op,
+ cond=agg.condition)
+ body += "\n${condition}.{field} = $target".format(condition=self.condition_name, field=agg.groupfield,)
+ else:
+ self.condition = "#{} {} {}".format(self.condition_name, agg.cond_op, agg.condition)
+ return body
\ No newline at end of file
diff --git a/tools/sigma/backends/devo.py b/tools/sigma/backends/devo.py
new file mode 100644
index 00000000000..aeca596f754
--- /dev/null
+++ b/tools/sigma/backends/devo.py
@@ -0,0 +1,254 @@
+# Output backends for sigmac
+# Copyright 2021 Devo, Inc.
+# Author: Eduardo Ocete
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+import re
+from .base import SingleTextQueryBackend
+from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
+from sigma.parser.condition import SigmaAggregationParser
+from sigma.parser.exceptions import SigmaParseError
+
+class DevoBackend(SingleTextQueryBackend):
+ """Converts Sigma rule into Devo query."""
+ identifier = "devo"
+ active = True
+
+ andToken = " and " # Token used for linking expressions with logical AND
+ orToken = " or " # Same for OR
+ notToken = " not " # Same for NOT
+ subExpression = "(%s)" # Syntax for subexpressions, usually parenthesis around it. %s is inner expression
+ listExpression = "%s" # Syntax for lists, %s are list items separated with listSeparator
+ listSeparator = ", " # Character for separation of list items
+ valueExpression = "\"%s\"" # Expression of values, %s represents value
+ intValueExpression = "%s" # Expression of int values, %s represents value
+ nullExpression = "isnull(%s)" # Expression of queries for null values or non-existing fields. %s is field name
+ notNullExpression = "isnotnull(%s)" # Expression of queries for not null values. %s is field name
+ mapExpression = "%s = %s" # Syntax for field/value conditions. First %s is fieldname, second is value
+ mapMulti = "has(%s, %s)" # Syntax for field/value conditions. First %s is fieldname, second is value
+ mapWildcard = "matches(%s, nameglob(%s))" # Syntax for globbing conditions
+ mapRe = "matches(%s, %s)" # Syntax for regex conditions that already were transformed by SigmaRegularExpressionModifier
+ mapContains = "toktains(%s, %s, true, true)" # Systax for token value searches
+ mapListValueExpression = "%s or %s" # Syntax for field/value condititons where map value is a list
+ mapFullTextSearch = "weaktoktains(raw, \"%s\", true, true)" # Expression for full text searches
+ typedValueExpression = {
+ SigmaRegularExpressionModifier: "re(\"%s\")", # Syntax for regular expressions
+ }
+
+ # \ -> \\
+ # \* -> \*
+ # \\* -> \\*
+ reEscape = re.compile('("|(? 3 # Covers "*" case
+
+ if type(value) == SigmaRegularExpressionModifier:
+ return self.mapRe % (transformed_fieldname, self.generateNode(value))
+ elif type(value) == list:
+ if has_contains:
+ return self.subExpression % self.andToken.join(self.mapContains % (transformed_fieldname, self.generateNode(val[1:-1])) for val in value)
+ elif has_startswith or has_endswith:
+ return self.generateMapItemListNode(transformed_fieldname, value)
+ else:
+ return self.mapMulti % (transformed_fieldname, self.generateNode(value))
+ elif type(value) in (str, int):
+ if has_contains:
+ return self.mapContains % (transformed_fieldname, self.generateNode(value[1:-1]))
+ elif has_startswith or has_endswith:
+ return self.mapWildcard % (transformed_fieldname, self.generateNode(value))
+ else:
+ return self.mapExpression % (transformed_fieldname, self.generateNode(value))
+ else:
+ raise TypeError("Devo backend does not support map values of type " + str(type(value)))
+
+ def generateMapItemListNode(self, key, value):
+ return "(" + (" or ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")"
+
+ def generateValueNode(self, node):
+ if type(node) == int:
+ return self.intValueExpression % int(node)
+ return self.valueExpression % (self.cleanValue(node))
+
+ def generateNULLValueNode(self, fieldname):
+ return self.nullExpression % fieldname
+
+ def generateNotNULLValueNode(self, fieldname):
+ return self.notNullExpression % fieldname
+
+ def generateTypedValueNode(self, node):
+ try:
+ return self.typedValueExpression[type(node)] % (self.cleanValue(str(node)))
+ except KeyError:
+ raise NotImplementedError("Type modifier '{}' is not supported by backend".format(node.identifier))
+
+ def generateFTS(self, value):
+ return self.mapFullTextSearch % self.cleanValue(value)
+
+ def requireFTS(self, value):
+ return isinstance(value, str) or isinstance(value, int) or isinstance(value, list)
+
+ def fieldNameMapping(self, field, value):
+ # Handle derived fields
+ matched = self.derivedField.search(field)
+ if matched:
+ self.derivedFieldSet.add(field)
+ return matched.group(1)
+ return field
+
+ def generateAggregation(self, agg, where_clause):
+ if not agg:
+ return self.table, where_clause
+
+ # Near operator not supported yet
+ if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR:
+ raise NotImplementedError("The 'near' aggregation operator is not implemented for the %s backend" % self.identifier)
+ if (agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT or
+ agg.aggfunc == SigmaAggregationParser.AGGFUNC_MAX or
+ agg.aggfunc == SigmaAggregationParser.AGGFUNC_MIN or
+ agg.aggfunc == SigmaAggregationParser.AGGFUNC_SUM or
+ agg.aggfunc == SigmaAggregationParser.AGGFUNC_AVG):
+
+ if agg.groupfield:
+ group_by = " group by {0}".format(self.fieldNameMapping(agg.groupfield, None))
+ else:
+ group_by = ""
+
+ if agg.aggfield:
+ select = "{}({}) as agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
+ else:
+ if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
+ select = "{}(*) as agg".format(agg.aggfunc_notrans)
+ else:
+ raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans))
+
+ if self.derivedFieldSet:
+ derivedFieldsStr = " {}".format(" ".join(self.derivedFieldSet))
+ else:
+ derivedFieldsStr = ""
+
+ temp_table = "from {}{} where {}{} select {}".format(self.table, derivedFieldsStr, where_clause, group_by, select)
+ agg_condition = "agg {} {}".format(agg.cond_op, agg.condition)
+
+ return temp_table, agg_condition
+
+ raise NotImplementedError("{} aggregation not implemented in Devo Backend".format(agg.aggfunc_notrans))
+
+ def generateQuery(self, parsed):
+ if self.requireFTS(parsed.parsedSearch):
+ result = self.generateFTS(parsed.parsedSearch)
+ else:
+ result = self.generateNode(parsed.parsedSearch)
+ if parsed.parsedAgg:
+ fro, whe = self.generateAggregation(parsed.parsedAgg, result)
+ return "{} where {} select *".format(fro, whe)
+
+ if self.derivedFieldSet:
+ derivedFieldsStr = " {}".format(" ".join(self.derivedFieldSet))
+ else:
+ derivedFieldsStr = ""
+
+ return "from {}{} where {} select *".format(self.table, derivedFieldsStr, result)
+
+ def generate(self, sigmaparser):
+ """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
+ self.derivedFieldSet = set()
+ if sigmaparser.get_logsource() and sigmaparser.get_logsource().index:
+ self.table = sigmaparser.get_logsource().index[0]
+ else:
+ self.table = "sourcetable"
+
+ for parsed in sigmaparser.condparsed:
+ # Multi condition rules are not supported yet, only the first one will be processed
+ query = self.generateQuery(parsed)
+ before = self.generateBefore(parsed)
+ after = self.generateAfter(parsed)
+
+ result = ""
+ if before is not None:
+ result = before
+ if query is not None:
+ result += query
+ if after is not None:
+ result += after
+
+ return result
\ No newline at end of file
diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index 3af2e6ccaa2..855e8815d38 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -21,11 +21,12 @@
import os
from random import randrange
from distutils.util import strtobool
+from uuid import uuid4
import sigma
import yaml
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTypeModifier
-from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression
+from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression, SigmaAggregationParser, SigmaConditionParser, SigmaConditionTokenizer
from sigma.config.mapping import ConditionalFieldMapping
from .base import BaseBackend, SingleTextQueryBackend
@@ -300,6 +301,120 @@ def generateSubexpressionNode(self, node):
else:
return super().generateSubexpressionNode(node)
+class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend):
+ """Converts Sigma rule into EQL."""
+ identifier = "es-eql"
+ active = True
+
+ # XXX case sensitivity
+ # case insensitive (and regex!!!)
+ # - map/field: "%s == %s" becomes "%s : %s"
+ # - map/list: "%s in %s" becomes "%s : %s"
+
+ andToken = " and "
+ orToken = " or "
+ notToken = " not "
+ subExpression = "(%s)"
+ listExpression = "(%s)"
+ listSeparator = ","
+ valueExpression = "\"%s\"" # XXX numeric?
+ typedValueExpression = dict() # XXX Expression of typed values generated by type modifiers. modifier identifier -> expression dict, %s represents value
+ nullExpression = "%s == null"
+ notNullExpression = "%s != null"
+ mapExpression = "%s : %s"
+ mapListsSpecialHandling = False
+ mapListValueExpression = "%s : %s"
+
+ sort_condition_lists = True
+
+ def __init__(self, *args, **kwargs):
+ super().__init__(*args, **kwargs)
+ self.categories = set()
+ self.sequence = False
+ self.maxspan = None
+
+ def generate(self, sigmaparser):
+ # reset per-rule variables
+ self.categories = set()
+ self.sequence = False
+ self.maxspan = None
+ return super().generate(sigmaparser)
+
+ def escapeSlashes(self, value):
+ return value.replace("\\", "\\\\")
+
+ def generateMapItemNode(self, node):
+ fieldname, _ = node
+ try:
+ category, fieldname = fieldname.split('.', 1)
+ # check against https://www.elastic.co/guide/en/ecs/1.8/ecs-allowed-values-event-category.html
+ if category in ("authentication", "configuration", "database", "driver", "file", "host", "iam", "intrusion_detection", "malware", "network", "package", "process", "registry", "session", "web"):
+ self.categories.add(category)
+ except ValueError:
+ pass
+ return super().generateMapItemNode(node)
+
+ def generateMapItemTypedNode(self, fieldname, value):
+ return self.mapExpression % (fieldname, self.generateTypedValueNode(value))
+
+ def generateValueNode(self, node):
+ return self.valueExpression % (self.escapeSlashes(self.cleanValue(str(node))))
+
+ def generateAggregationQuery(self, agg, searchId):
+ condtoken = SigmaConditionTokenizer(searchId)
+ condparsed = SigmaConditionParser(agg.parser, condtoken)
+ backend = ElasticsearchEQLBackend(agg.config)
+ query = backend.generateQuery(condparsed)
+ before = backend.generateBefore(condparsed)
+ return before + query
+
+ def generateAggregation(self, agg):
+ if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR:
+ self.sequence = True
+ self.maxspan = agg.parser.parsedyaml['detection'].get('timeframe', None)
+
+ includeQueries = []
+ excludeQueries = []
+
+ for include in agg.include:
+ includeQueries.append(self.generateAggregationQuery(agg, include))
+
+ for exclude in agg.exclude:
+ excludeQueries.append(self.generateAggregationQuery(agg, exclude))
+
+ ret = " ] [ " + " ] [ ".join(includeQueries) + " ]"
+ if len(excludeQueries) > 0:
+ ret += " until [ " + " ] [ ".join(excludeQueries) + " ]"
+ return ret
+
+ raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans)
+
+ def generateEventCategory(self):
+ if len(self.categories) == 0:
+ return "any where "
+ elif len(self.categories) == 1:
+ return "%s where " % self.categories.pop()
+ # XXX raise NotImplementedError? >1 category is probably due to unmapped fields
+ return "any where "
+
+ def generateBefore(self, parsed):
+ before = ""
+
+ if self.sequence:
+ before += "sequence "
+ if self.maxspan != None:
+ before += "with maxspan=%s " % self.maxspan
+ before += "[ "
+
+ before += self.generateEventCategory()
+
+ return before
+
+ def fieldNameMapping(self, fieldname, value):
+ if fieldname.count("-") > 0 or fieldname.count(" ") > 0 or fieldname[0].isdigit():
+ return "`%s`" % fieldname
+ return fieldname
+
class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend):
"""ElasticSearch DSL backend"""
identifier = 'es-dsl'
@@ -509,16 +624,22 @@ def generateAggregation(self, agg):
}
else: # if the condition is count() by MyGroupedField > XYZ
group_aggname = "{}_count".format(agg.groupfield)
+ count_agg_name = "single_{}_count".format(agg.groupfield)
self.queries[-1]['aggs'] = {
group_aggname: {
'terms': {
'field': '%s' % (agg.groupfield)
},
'aggs': {
+ count_agg_name: {
+ 'value_count': {
+ 'field': '%s' % agg.groupfield
+ }
+ },
'limit': {
'bucket_selector': {
'buckets_path': {
- 'count': group_aggname
+ 'count': count_agg_name
},
'script': 'params.count %s %s' % (agg.cond_op, agg.condition)
}
@@ -1211,15 +1332,34 @@ def generateQuery(self, parsed):
#Generate ES QS Query
return [{ 'query' : { 'query_string' : { 'query' : super().generateQuery(parsed) } } }]
-class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
+class ElasticSearchRuleBackend(object):
"""Elasticsearch detection rule backend"""
- identifier = "es-rule"
active = True
+ uuid_black_list = []
+ options = ElasticsearchQuerystringBackend.options + (
+ ("put_filename_in_ref", False, "Want to have yml name in reference ?", None),
+ ("convert_to_url", False, "Want to convert to a URL ?", None),
+ ("path_to_replace", "../", "The local path to replace with dest_base_url", None),
+ ("dest_base_url", "https://github.com/SigmaHQ/sigma/tree/master/", "The URL prefix", None),
+ ("custom_tag", None , "Add custom tag. for multi split with a comma tag1,tag2 ", None),
+ )
+ default_rule_type = "query"
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.tactics = self._load_mitre_file("tactics")
self.techniques = self._load_mitre_file("techniques")
+ self.rule_type = self.default_rule_type
+ self.rule_threshold = {}
+
+ def _rule_lang_from_type(self):
+ rule_lang_map = {
+ "eql": "eql",
+ "query": "lucene",
+ "threat-match": "lucene",
+ "threshold": "lucene",
+ }
+ return rule_lang_map[self.rule_type]
def _load_mitre_file(self, mitre_type):
try:
@@ -1236,6 +1376,10 @@ def _load_mitre_file(self, mitre_type):
return []
def generate(self, sigmaparser):
+ # reset per-detection variables
+ self.rule_type = self.default_rule_type
+ self.rule_threshold = {}
+
translation = super().generate(sigmaparser)
if translation:
index = sigmaparser.get_logsource().index
@@ -1282,14 +1426,45 @@ def find_technique(self, key_id=None):
return technique
def map_risk_score(self, level):
+ if level not in ["low","medium","high","critical"]:
+ level = "medium"
if level == "low":
- return randrange(0,22)
+ return 5
elif level == "medium":
- return randrange(22,48)
+ return 35
elif level == "high":
- return randrange(48,74)
+ return 65
elif level == "critical":
- return randrange(74,101)
+ return 95
+
+ def map_severity(self, severity):
+ severity = severity.lower()
+ if severity in ["low","medium","high","critical"]:
+ return severity
+ elif severity == "informational":
+ return "low"
+ else:
+ return "medium"
+
+ def build_ymlfile_ref(self, configs):
+ if self.put_filename_in_ref == False: # Dont want
+ return None
+
+ yml_filename = configs.get("yml_filename")
+ yml_path = configs.get("yml_path")
+ if yml_filename == None or yml_path == None:
+ return None
+
+ if self.convert_to_url:
+ yml_path = yml_path.replace('\\','/') #windows path to url
+ self.path_to_replace = self.path_to_replace.replace('\\','/') #windows path to url
+ if self.path_to_replace not in yml_path: #Error to change
+ return None
+
+ new_ref = yml_path.replace(self.path_to_replace,self.dest_base_url) + '/' + yml_filename
+ else:
+ new_ref = yml_filename
+ return new_ref
def create_rule(self, configs, index):
tags = configs.get("tags", [])
@@ -1322,24 +1497,55 @@ def create_rule(self, configs, index):
if tact:
new_tags.append(tag.title())
tactics_list.append(tact)
+
+ if self.custom_tag:
+ if ',' in self.custom_tag:
+ tag_split = self.custom_tag.split(",")
+ for l_tag in tag_split:
+ new_tags.append(l_tag)
+ else:
+ new_tags.append(self.custom_tag)
+
threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list)
rule_name = configs.get("title", "").lower()
- rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name)
+ rule_uuid = configs.get("id", "").lower()
+ if rule_uuid == "":
+ rule_uuid = str(uuid4())
+ if rule_uuid in self.uuid_black_list:
+ rule_uuid = str(uuid4())
+ self.uuid_black_list.append(rule_uuid)
+ rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid)
risk_score = self.map_risk_score(configs.get("level", "medium"))
references = configs.get("reference")
if references is None:
references = configs.get("references")
+ falsepositives = []
+ yml_falsepositives = configs.get('falsepositives',["Unknown"])
+ if isinstance(yml_falsepositives,str):
+ falsepositives.append(yml_falsepositives)
+ else:
+ falsepositives=yml_falsepositives
+
+ add_ref_yml= self.build_ymlfile_ref(configs)
+ if add_ref_yml:
+ if references is None: # No ref
+ references=[]
+ if add_ref_yml in references:
+ pass # else put a duplicate ref for multi rule file
+ else:
+ references.append(add_ref_yml)
+
rule = {
"description": configs.get("description", ""),
"enabled": True,
- "false_positives": configs.get('falsepositives', "Unknown"),
+ "false_positives": falsepositives,
"filters": [],
"from": "now-360s",
"immutable": False,
"index": index,
"interval": "5m",
"rule_id": rule_id,
- "language": "lucene",
+ "language": self._rule_lang_from_type(),
"output_index": ".siem-signals-default",
"max_signals": 100,
"risk_score": risk_score,
@@ -1348,17 +1554,45 @@ def create_rule(self, configs, index):
"meta": {
"from": "1m"
},
- "severity": configs.get("level", "medium"),
+ "severity": self.map_severity(configs.get("level", "medium")),
"tags": new_tags,
"to": "now",
- "type": "query",
+ "type": self.rule_type,
"threat": threat,
"version": 1
}
+ if self.rule_type == "threshold":
+ rule.update({"threshold": self.rule_threshold})
if references:
rule.update({"references": references})
return json.dumps(rule)
+
+class ElasticSearchRuleEqlBackend(ElasticSearchRuleBackend, ElasticsearchEQLBackend):
+ default_rule_type = "eql"
+ identifier = "es-rule-eql"
+ def __init__(self, *args, **kwargs):
+ super().__init__(*args, **kwargs)
+
+class ElasticSearchRuleQsBackend(ElasticSearchRuleBackend, ElasticsearchQuerystringBackend):
+ identifier = "es-rule"
+ def __init__(self, *args, **kwargs):
+ super().__init__(*args, **kwargs)
+
+ def generateAggregation(self, agg):
+ if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
+ if agg.cond_op not in [">", ">="]:
+ raise NotImplementedError("Threshold rules can only handle > and >= operators")
+ if agg.aggfield:
+ raise NotImplementedError("Threshold rules cannot COUNT(DISTINCT %s)" % agg.aggfield)
+ self.rule_type = "threshold"
+ self.rule_threshold = {
+ "field": agg.groupfield if agg.groupfield else [],
+ "value": int(agg.condition) if agg.cond_op == ">=" else int(agg.condition) + 1
+ }
+ return ""
+ raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans)
+
class KibanaNdjsonBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin):
"""Converts Sigma rule into Kibana JSON Configuration files (searches only)."""
identifier = "kibana-ndjson"
diff --git a/tools/sigma/backends/fireeye-helix.py b/tools/sigma/backends/fireeye-helix.py
index edf999a21f6..fca445da997 100644
--- a/tools/sigma/backends/fireeye-helix.py
+++ b/tools/sigma/backends/fireeye-helix.py
@@ -125,14 +125,14 @@ def generateMapItemNode(self, node):
def generateNULLValueNode(self, node):
# Don't generate null value nodes for fields we don't map
- if node.item is "rawmsg":
+ if node.item == "rawmsg":
return None
else:
return self.notNullExpression % (node.item)
def generateNotNULLValueNode(self, node):
# Don't generate not null value nodes for fields we don't map
- if node.item is "rawmsg":
+ if node.item == "rawmsg":
return None
else:
return self.nullExpression % (node.item)
diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py
index 854dec74ca7..383134a400a 100644
--- a/tools/sigma/backends/limacharlie.py
+++ b/tools/sigma/backends/limacharlie.py
@@ -23,11 +23,16 @@
# A few helper functions for cases where field mapping cannot be done
# as easily one by one, or can be done more efficiently.
-def _windowsEventLogFieldName(fieldName):
+def _windowsEventLogArtifactFieldName(fieldName):
if 'EventID' == fieldName:
return 'Event/System/EventID'
return 'Event/EventData/%s' % (fieldName,)
+def _windowsEventLogEDRFieldName(fieldName):
+ if 'EventID' == fieldName:
+ return 'event/EVENT/System/EventID'
+ return 'event/EVENT/EventData/%s' % (fieldName,)
+
def _mapProcessCreationOperations(node):
# Here we fix some common pitfalls found in rules
# in a consistent fashion (already processed to D&R rule).
@@ -63,134 +68,202 @@ def _mapProcessCreationOperations(node):
'isAllStringValues',
'keywordField',
'postOpMapper',
+ 'isCaseSensitive',
])
_allFieldMappings = {
- "windows/process_creation/": SigmaLCConfig(
- topLevelParams = {
- "events": [
- "NEW_PROCESS",
- "EXISTING_PROCESS",
- ]
- },
- preConditions = {
- "op": "is windows",
- },
- fieldMappings = {
- "CommandLine": "event/COMMAND_LINE",
- "Image": "event/FILE_PATH",
- "ParentImage": "event/PARENT/FILE_PATH",
- "ParentCommandLine": "event/PARENT/COMMAND_LINE",
- "User": "event/USER_NAME",
- "OriginalFileName": "event/ORIGINAL_FILE_NAME",
- # Custom field names coming from somewhere unknown.
- "NewProcessName": "event/FILE_PATH",
- "ProcessCommandLine": "event/COMMAND_LINE",
- # Another one-off command line.
- "Command": "event/COMMAND_LINE",
- },
- isAllStringValues = False,
- keywordField = "event/COMMAND_LINE",
- postOpMapper = _mapProcessCreationOperations
- ),
- "windows//": SigmaLCConfig(
- topLevelParams = {
- "target": "log",
- "log type": "wel",
- },
- preConditions = None,
- fieldMappings = _windowsEventLogFieldName,
- isAllStringValues = True,
- keywordField = None,
- postOpMapper = None
- ),
- "windows_defender//": SigmaLCConfig(
- topLevelParams = {
- "target": "log",
- "log type": "wel",
- },
- preConditions = None,
- fieldMappings = _windowsEventLogFieldName,
- isAllStringValues = True,
- keywordField = None,
- postOpMapper = None
- ),
- "dns//": SigmaLCConfig(
- topLevelParams = {
- "event": "DNS_REQUEST",
- },
- preConditions = None,
- fieldMappings = {
- "query": "event/DOMAIN_NAME",
- },
- isAllStringValues = False,
- keywordField = None,
- postOpMapper = None
- ),
- "linux//": SigmaLCConfig(
- topLevelParams = {
- "events": [
- "NEW_PROCESS",
- "EXISTING_PROCESS",
- ]
- },
- preConditions = {
- "op": "is linux",
- },
- fieldMappings = {
- "exe": "event/FILE_PATH",
- "type": None,
- },
- isAllStringValues = False,
- keywordField = 'event/COMMAND_LINE',
- postOpMapper = None
- ),
- "unix//": SigmaLCConfig(
- topLevelParams = {
- "events": [
- "NEW_PROCESS",
- "EXISTING_PROCESS",
- ]
- },
- preConditions = {
- "op": "is linux",
- },
- fieldMappings = {
- "exe": "event/FILE_PATH",
- "type": None,
- },
- isAllStringValues = False,
- keywordField = 'event/COMMAND_LINE',
- postOpMapper = None
- ),
- "netflow//": SigmaLCConfig(
- topLevelParams = {
- "event": "NETWORK_CONNECTIONS",
- },
- preConditions = None,
- fieldMappings = {
- "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT",
- "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT",
- },
- isAllStringValues = False,
- keywordField = None,
- postOpMapper = None
- ),
- "/proxy/": SigmaLCConfig(
- topLevelParams = {
- "event": "HTTP_REQUEST",
- },
- preConditions = None,
- fieldMappings = {
- "c-uri|contains": "event/URL",
- "c-uri": "event/URL",
- "URL": "event/URL",
- "cs-uri-query": "event/URL",
- "cs-uri-stem": "event/URL",
- },
- isAllStringValues = False,
- keywordField = None,
- postOpMapper = None
- ),
+ 'edr': {
+ "windows//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "WEL",
+ },
+ preConditions = {
+ "op": "is windows",
+ },
+ fieldMappings = _windowsEventLogEDRFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None,
+ isCaseSensitive = []
+ ),
+ "windows_defender//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "WEL",
+ },
+ preConditions = {
+ "op": "is windows",
+ },
+ fieldMappings = _windowsEventLogEDRFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None,
+ isCaseSensitive = []
+ ),
+ "windows/process_creation/": SigmaLCConfig(
+ topLevelParams = {
+ "events": [
+ "NEW_PROCESS",
+ "EXISTING_PROCESS",
+ ]
+ },
+ preConditions = {
+ "op": "is windows",
+ },
+ fieldMappings = {
+ "CommandLine": "event/COMMAND_LINE",
+ "Image": "event/FILE_PATH",
+ "ParentImage": "event/PARENT/FILE_PATH",
+ "ParentCommandLine": "event/PARENT/COMMAND_LINE",
+ "User": "event/USER_NAME",
+ "OriginalFileName": "event/ORIGINAL_FILE_NAME",
+ # Custom field names coming from somewhere unknown.
+ "NewProcessName": "event/FILE_PATH",
+ "ProcessCommandLine": "event/COMMAND_LINE",
+ # Another one-off command line.
+ "Command": "event/COMMAND_LINE",
+ },
+ isAllStringValues = False,
+ keywordField = "event/COMMAND_LINE",
+ postOpMapper = _mapProcessCreationOperations,
+ isCaseSensitive = []
+ ),
+ "dns//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "DNS_REQUEST",
+ },
+ preConditions = None,
+ fieldMappings = {
+ "query": "event/DOMAIN_NAME",
+ },
+ isAllStringValues = False,
+ keywordField = None,
+ postOpMapper = None,
+ isCaseSensitive = []
+ ),
+ "linux//": SigmaLCConfig(
+ topLevelParams = {
+ "events": [
+ "NEW_PROCESS",
+ "EXISTING_PROCESS",
+ ]
+ },
+ preConditions = {
+ "op": "is linux",
+ },
+ fieldMappings = {
+ "exe": "event/FILE_PATH",
+ "type": None,
+ },
+ isAllStringValues = False,
+ keywordField = 'event/COMMAND_LINE',
+ postOpMapper = None,
+ isCaseSensitive = ['event/FILE_PATH']
+ ),
+ "unix//": SigmaLCConfig(
+ topLevelParams = {
+ "events": [
+ "NEW_PROCESS",
+ "EXISTING_PROCESS",
+ ]
+ },
+ preConditions = {
+ "op": "is linux",
+ },
+ fieldMappings = {
+ "exe": "event/FILE_PATH",
+ "type": None,
+ },
+ isAllStringValues = False,
+ keywordField = 'event/COMMAND_LINE',
+ postOpMapper = None,
+ isCaseSensitive = ['event/FILE_PATH']
+ ),
+ "netflow//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "NETWORK_CONNECTIONS",
+ },
+ preConditions = None,
+ fieldMappings = {
+ "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT",
+ "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT",
+ },
+ isAllStringValues = False,
+ keywordField = None,
+ postOpMapper = None,
+ isCaseSensitive = []
+ ),
+ "/proxy/": SigmaLCConfig(
+ topLevelParams = {
+ "event": "HTTP_REQUEST",
+ },
+ preConditions = None,
+ fieldMappings = {
+ "c-uri|contains": "event/URL",
+ "c-uri": "event/URL",
+ "URL": "event/URL",
+ "cs-uri-query": "event/URL",
+ "cs-uri-stem": "event/URL",
+ },
+ isAllStringValues = False,
+ keywordField = None,
+ postOpMapper = None,
+ isCaseSensitive = []
+ ),
+ "macos/process_creation/": SigmaLCConfig(
+ topLevelParams = {
+ "events": [
+ "NEW_PROCESS",
+ "EXISTING_PROCESS",
+ ]
+ },
+ preConditions = {
+ "op": "is mac",
+ },
+ fieldMappings = {
+ "CommandLine": "event/COMMAND_LINE",
+ "Commandline": "event/COMMAND_LINE",
+ "Image": "event/FILE_PATH",
+ "ParentImage": "event/PARENT/FILE_PATH",
+ "ParentCommandLine": "event/PARENT/COMMAND_LINE",
+ "User": "event/USER_NAME",
+ "OriginalFileName": "event/ORIGINAL_FILE_NAME",
+ # Custom field names coming from somewhere unknown.
+ "NewProcessName": "event/FILE_PATH",
+ "ProcessCommandLine": "event/COMMAND_LINE",
+ # Another one-off command line.
+ "Command": "event/COMMAND_LINE",
+ },
+ isAllStringValues = False,
+ keywordField = "event/COMMAND_LINE",
+ postOpMapper = _mapProcessCreationOperations,
+ isCaseSensitive = ['event/FILE_PATH']
+ ),
+ },
+ "artifact": {
+ "windows//": SigmaLCConfig(
+ topLevelParams = {
+ "target": "log",
+ "log type": "wel",
+ },
+ preConditions = None,
+ fieldMappings = _windowsEventLogArtifactFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None,
+ isCaseSensitive = []
+ ),
+ "windows_defender//": SigmaLCConfig(
+ topLevelParams = {
+ "target": "log",
+ "log type": "wel",
+ },
+ preConditions = None,
+ fieldMappings = _windowsEventLogArtifactFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None,
+ isCaseSensitive = []
+ ),
+ }
}
class LimaCharlieBackend(BaseBackend):
@@ -200,6 +273,15 @@ class LimaCharlieBackend(BaseBackend):
config_required = False
default_config = ["limacharlie"]
+ options = (
+ (
+ "lc_target",
+ "edr",
+ "Generate LimaCharlie D&R rules for the following target, one of: edr, artifact.",
+ None,
+ ),
+ )
+
def generate(self, sigmaparser):
# Take the log source information and figure out which set of mappings to use.
ruleConfig = sigmaparser.parsedyaml
@@ -230,7 +312,7 @@ def generate(self, sigmaparser):
# See if we have a definition for the source combination.
mappingKey = "%s/%s/%s" % (product, category, service)
- topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None, None]))
+ topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper, isCaseSensitive = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None, None]))
if mappings is None:
raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service))
@@ -249,6 +331,9 @@ def generate(self, sigmaparser):
# Call to fixup all operations after the fact.
self._postOpMapper = postOpMapper
+ # Event paths that are case sensitive.
+ self._isCaseSensitiveFS = isCaseSensitive
+
# Call the original generation code.
detectComponent = super().generate(sigmaparser)
@@ -411,7 +496,7 @@ def generateMapItemNode(self, node):
newOp = {
"op": op,
"path": fieldname,
- "case sensitive": False,
+ "case sensitive": fieldname in self._isCaseSensitiveFS,
}
if op == "matches":
newOp["re"] = newVal
@@ -429,7 +514,7 @@ def generateMapItemNode(self, node):
newOp = {
"op": op,
"path": fieldname,
- "case sensitive": False,
+ "case sensitive": fieldname in self._isCaseSensitiveFS,
}
if op == "matches":
newOp["re"] = newVal
diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py
index cead68be034..eb535835a8e 100644
--- a/tools/sigma/backends/mdatp.py
+++ b/tools/sigma/backends/mdatp.py
@@ -19,8 +19,6 @@
from .base import SingleTextQueryBackend
from .exceptions import NotSupportedError
from ..parser.modifiers.base import SigmaTypeModifier
-from ..parser.modifiers.transform import SigmaContainsModifier, SigmaStartswithModifier, SigmaEndswithModifier
-from ..parser.modifiers.type import SigmaRegularExpressionModifier
def wrapper(method):
@@ -42,10 +40,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
active = True
config_required = False
- # \ -> \\
- # \* -> \*
- # \\* -> \\*
- reEscape = re.compile('("|(?', val)
val = re.sub('\\*', '.*', val)
val = re.sub('\\?', '.', val)
- else: # value possibly only starts and/or ends with *, use prefix/postfix match
+ else:
+ # value possibly only starts and/or ends with *, use prefix/postfix match
if val.endswith("*") and val.startswith("*"):
op = "contains"
val = self.cleanValue(val[1:-1])
@@ -214,6 +216,9 @@ def default_value_mapping(self, val):
return "%s \"%s\"" % (op, val)
+ def porttype_mapping(self, val):
+ return "%s \"%s\"" % ("==", val)
+
def logontype_mapping(self, src):
"""Value mapping for logon events to reduced ATP LogonType set"""
logontype_mapping = {
@@ -262,6 +267,9 @@ def generate(self, sigmaparser):
elif (self.category, self.product, self.service) == ("file_event", "windows", None):
self.tables.append("DeviceFileEvents")
self.current_table = "DeviceFileEvents"
+ elif (self.category, self.product, self.service) == ("image_load", "windows", None):
+ self.tables.append("DeviceImageLoadEvents")
+ self.current_table = "DeviceImageLoadEvents"
elif (self.category, self.product, self.service) == ("network_connection", "windows", None):
self.tables.append("DeviceNetworkEvents")
self.current_table = "DeviceNetworkEvents"
@@ -295,6 +303,10 @@ def generateORNode(self, node):
return "%s" % generated
return generated
+ def cleanValue(self, val):
+ if self.reEscape:
+ val = self.reEscape.sub(self.escapeSubst, val)
+ return val
def mapEventId(self, event_id):
if self.product == "windows":
@@ -336,6 +348,10 @@ def mapEventId(self, event_id):
self.tables.append("DeviceLogonEvents")
self.current_table = "DeviceLogonEvents"
return None
+ elif self.service == "system" and event_id == 7045: # New Service Install
+ self.tables.append("DeviceEvents")
+ self.current_table = "DeviceEvents"
+ return "ActionType == \"ServiceInstalled\""
else:
if not self.tables:
raise NotSupportedError("No sysmon Event ID provided")
diff --git a/tools/sigma/backends/netwitness-epl.py b/tools/sigma/backends/netwitness-epl.py
index e580b259c1b..62506337b00 100644
--- a/tools/sigma/backends/netwitness-epl.py
+++ b/tools/sigma/backends/netwitness-epl.py
@@ -55,8 +55,8 @@ class NetWitnessEplBackend(SingleTextQueryBackend):
listSeparator = ", "
valueExpression = "\'%s\'"
keyExpression = "%s"
- nullExpression = "%s exists"
- notNullExpression = "%s exists"
+ nullExpression = "%s is null"
+ notNullExpression = "%s is not null"
mapExpression = "(%s=%s)"
mapListsSpecialHandling = True
diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py
index 25aed08d0e7..c8898ec6775 100644
--- a/tools/sigma/backends/netwitness.py
+++ b/tools/sigma/backends/netwitness.py
@@ -37,7 +37,7 @@ class NetWitnessBackend(SingleTextQueryBackend):
listSeparator = ", "
valueExpression = "\'%s\'"
keyExpression = "%s"
- nullExpression = "%s exists"
+ nullExpression = "%s !exists"
notNullExpression = "%s exists"
mapExpression = "(%s=%s)"
mapListsSpecialHandling = True
diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py
index 192e5369d70..67d347a03de 100644
--- a/tools/sigma/backends/powershell.py
+++ b/tools/sigma/backends/powershell.py
@@ -44,6 +44,11 @@ class PowerShellBackend(SingleTextQueryBackend):
mapListsSpecialHandling = True
logname = None
+ fieldMappings = {
+ "EventID": "ID",
+ "ID": "ID",
+ "ServiceFileName": "Service File Name"
+ }
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
@@ -112,9 +117,8 @@ def generateMapItemNode(self, node):
if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
if key in ("LogName","source"):
self.logname = value
- elif key in ("ID", "EventID"):
- if key == "EventID":
- key = "ID"
+ elif key in self.fieldMappings.keys():
+ key = self.fieldMappings[key]
return self.mapExpression % (key, self.generateValueNode(value, True))
elif type(value) == str and "*" in value:
value = value.replace("*", ".*")
@@ -136,9 +140,8 @@ def generateMapItemNode(self, node):
def generateMapItemListNode(self, key, value):
itemslist = list()
for item in value:
- if key in ("ID", "EventID"):
- if key == "EventID":
- key = "ID"
+ if key in self.fieldMappings.keys():
+ key = self.fieldMappings[key]
itemslist.append(self.mapExpression % (key, self.generateValueNode(item, True)))
elif type(item) == str and "*" in item:
item = item.replace("*", ".*")
diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py
index bd734bfa699..bc55a1ba105 100644
--- a/tools/sigma/backends/sql.py
+++ b/tools/sigma/backends/sql.py
@@ -1,6 +1,7 @@
# Output backends for sigmac
# Copyright 2019 Jayden Zheng
# Copyright 2020 Jonas Hagg
+# Copyright 2021 wagga (https://github.com/wagga40/)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
@@ -43,9 +44,16 @@ class SQLBackend(SingleTextQueryBackend):
mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list
mapLength = "(%s %s)"
- def __init__(self, sigmaconfig, table):
+ options = SingleTextQueryBackend.options + (
+ ("table", False, "Use this option to specify table name, default is \"eventlog\"", None),
+ )
+
+ def __init__(self, sigmaconfig, options):
super().__init__(sigmaconfig)
- self.table = table
+ if "table" in options:
+ self.table = options["table"]
+ else:
+ self.table = "eventlog"
def generateANDNode(self, node):
generated = [ self.generateNode(val) for val in node ]
@@ -162,10 +170,10 @@ def generateAggregation(self, agg, where_clausel):
group_by = ""
if agg.aggfield:
- select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
+ select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
else:
if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
- select = "{}(*) AS agg".format(agg.aggfunc_notrans)
+ select = "*,{}(*) AS agg".format(agg.aggfunc_notrans)
else:
raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans))
diff --git a/tools/sigma/backends/stix.py b/tools/sigma/backends/stix.py
index 03191d8bfdf..c802180c4d4 100644
--- a/tools/sigma/backends/stix.py
+++ b/tools/sigma/backends/stix.py
@@ -16,7 +16,7 @@ class STIXBackend(SingleTextQueryBackend):
mapExpression = "%s = %s"
notMapExpression = "%s != %s"
mapListsSpecialHandling = True
- sigmaSTIXObjectName = "x-sigma"
+ sort_condition_lists = True
def cleanKey(self, key):
if key is None:
@@ -113,7 +113,8 @@ def generateMapItemTypedNode(self, key, value):
def generateMapItemNode(self, node, currently_within_NOT_node=False):
key, value = node
if ":" not in key:
- key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower())
+ # key wasn't mapped
+ return None
if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
if type(value) == str and "*" in value:
value = value.replace("*", "%")
diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py
index 66832d5766b..96302181595 100644
--- a/tools/sigma/backends/sysmon.py
+++ b/tools/sigma/backends/sysmon.py
@@ -20,6 +20,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
conditionDict = {
"startswith": "begin with",
"endswith": "end with",
+ "all": "contains all"
}
def __init__(self, *args, **kwargs):
@@ -78,14 +79,19 @@ def cleanValue(self, value):
def mapFiledValue(self, field, value):
condition = None
+ any_selector = "contains any"
if "|" in field:
field, *pipes = field.split("|")
if len(pipes) == 1:
- condition = pipes[0]
+ modifier = pipes[0]
+ if modifier in self.conditionDict:
+ condition = self.conditionDict[modifier]
+ if modifier == "all":
+ any_selector = "contains all"
else:
raise NotImplementedError("not implemented condition")
if isinstance(value, list) and len(value) > 1:
- condition = "contains any"
+ condition = any_selector
value = ";".join(value)
elif "*" in value:
if value.startswith("*") and value.endswith("*"):
diff --git a/tools/sigma/backends/uberagent.py b/tools/sigma/backends/uberagent.py
index 569675091cd..682e91161df 100644
--- a/tools/sigma/backends/uberagent.py
+++ b/tools/sigma/backends/uberagent.py
@@ -34,7 +34,8 @@ def convert_sigma_name_to_uberagent_tag(name):
def convert_sigma_category_to_uberagent_event_type(category):
categories = {
"process_creation": "Process.Start",
- "image_load": "Image.Load"
+ "image_load": "Image.Load",
+ "dns": "Dns.Query"
}
if category in categories:
@@ -48,6 +49,14 @@ def is_sigma_category_supported(category):
return convert_sigma_category_to_uberagent_event_type(category) is not None
+class IgnoreTypedModifierException(Exception):
+ """
+ IgnoreTypedModifierException
+ Helper class to ignore exceptions of type identifiers that are not yet supported.
+ """
+ pass
+
+
class IgnoreFieldException(Exception):
"""
IgnoreFieldException
@@ -56,6 +65,13 @@ class IgnoreFieldException(Exception):
pass
+class IgnoreAggregationException(Exception):
+ """
+ IgnoreAggregationException
+ Helper class to ignore exceptions of aggregation rules that are not yet supported.
+ """
+
+
class MalformedRuleException(Exception):
"""
MalformedRuleException
@@ -79,6 +95,46 @@ def __init__(self):
self.description = ""
self.sigma_level = ""
+ # Specifies the properties that are being evaluated and send to the backend
+ # if an Activity Monitoring rule is matched.
+ self.generic_properties = {
+ "Process.": [
+ "Process.Hash.MD5",
+ "Process.Hash.SHA1",
+ "Process.Hash.SHA256",
+ "Process.Hash.IMP"
+ ],
+ "Image.": [
+ "Image.Name",
+ "Image.Path",
+ "Image.Hash.MD5",
+ "Image.Hash.SHA1",
+ "Image.Hash.SHA256",
+ "Image.Hash.IMP"
+ ],
+ "Net.": [
+ "Net.Target.Ip",
+ "Net.Target.Name",
+ "Net.Target.Port",
+ "Net.Target.Protocol"
+ ],
+ "Reg.": [
+ "Reg.Key.Path",
+ "Reg.Key.Path.New",
+ "Reg.Key.Path.Old"
+ "Reg.Key.Name",
+ "Reg.Parent.Key.Path",
+ "Reg.Value.Name",
+ "Reg.File.Name",
+ "Reg.Key.Sddl",
+ "Reg.Key.Hive",
+ ],
+ "Dns.": [
+ "Dns.QueryRequest",
+ "Dns.QueryResponse"
+ ]
+ }
+
def set_query(self, query):
"""Sets the generated query."""
self.query = query
@@ -148,6 +204,18 @@ def __str__(self):
result += "RiskScore = {}\n".format(self.risk_score)
result += "Query = {}\n".format(self.query)
+
+ counter = 1
+ for event_type_prefix in self.generic_properties:
+ if self.event_type.startswith(event_type_prefix):
+ for prop in self.generic_properties[event_type_prefix]:
+ # Generic properties are limited to 10.
+ if counter > 10:
+ break
+
+ result += "GenericProperty{} = {}\n".format(counter, prop)
+ counter += 1
+
return result
@@ -190,6 +258,7 @@ class uberAgentBackend(SingleTextQueryBackend):
active = True
config_required = False
rule = None
+ current_category = None
#
# SingleTextQueryBackend
@@ -201,8 +270,8 @@ class uberAgentBackend(SingleTextQueryBackend):
listExpression = "[%s]"
listSeparator = ", "
valueExpression = "\"%s\""
- nullExpression = "is null"
- notNullExpression = "is not null"
+ nullExpression = "%s == ''"
+ notNullExpression = "%s != ''"
mapExpression = "%s == %s"
mapListsSpecialHandling = True
mapListValueExpression = "%s in %s"
@@ -229,7 +298,31 @@ class uberAgentBackend(SingleTextQueryBackend):
"command": "Process.CommandLine",
"processname": "Process.Name",
"user": "Process.User",
- "username": "Process.User"
+ "username": "Process.User",
+ "company": "Process.Company"
+ }
+
+ fieldMappingPerCategory = {
+ "process_creation": {
+ "sha1": "Process.Hash.SHA1",
+ "imphash": "Process.Hash.IMP",
+ "childimage": "Process.Path"
+ # Not yet supported.
+ # "signed": "Process.IsSigned"
+ },
+ "image_load": {
+ "sha1": "Image.Hash.SHA1",
+ "imphash": "Image.Hash.IMP",
+ "childimage": "Image.Path"
+ # Not yet supported.
+ # "signed": "Image.IsSigned"
+ },
+ "dns": {
+ "query": "Dns.QueryRequest",
+ # Not yet supported.
+ # "record_type": "Dns.QueryResponseType",
+ "answer": "Dns.QueryResponse"
+ }
}
# We ignore some fields that we don't support yet but we don't want them to
@@ -240,19 +333,25 @@ class uberAgentBackend(SingleTextQueryBackend):
"logonid",
"integritylevel",
"currentdirectory",
- "company",
"parentintegritylevel",
- "sha1",
"eventid",
"parentuser",
- "imphash"
+ "parent_domain",
+ "signed",
+ "parentofparentimage",
+ "record_type"
]
rules = []
def fieldNameMapping(self, fieldname, value):
- """Maps field names to uberAgent field names."""
key = fieldname.lower()
+
+ if self.current_category is not None:
+ if self.current_category in self.fieldMappingPerCategory:
+ if key in self.fieldMappingPerCategory[self.current_category]:
+ return self.fieldMappingPerCategory[self.current_category][key]
+
if key not in self.fieldMapping:
if key in self.ignoreFieldList:
raise IgnoreFieldException()
@@ -261,18 +360,26 @@ def fieldNameMapping(self, fieldname, value):
return self.fieldMapping[key]
+ def generateQuery(self, parsed):
+ if parsed.parsedAgg:
+ raise IgnoreAggregationException()
+
+ return self.generateNode(parsed.parsedSearch)
+
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
product, category, service, title, level, condition, description = get_parser_properties(sigmaparser)
- if product not in ["windows"]:
- return ""
# Do not generate a rule if the given category is unsupported by now.
if not is_sigma_category_supported(category):
return ""
- if category not in ["process_creation", "image_load"]:
+
+ # We support windows rules and generic rules that don't have a specific product specifier - such as DNS.
+ if product not in ["windows", ""]:
return ""
+ self.current_category = category
+
try:
rule = ActivityMonitoringRule()
@@ -287,6 +394,10 @@ def generate(self, sigmaparser):
rule.set_description(description)
self.rules.append(rule)
print("Generated rule <{}>.. [level: {}]".format(rule.name, level))
+ except IgnoreTypedModifierException:
+ return ""
+ except IgnoreAggregationException:
+ return ""
except IgnoreFieldException:
return ""
except MalformedRuleException:
@@ -313,16 +424,17 @@ def finalize(self):
count_low = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-low.conf", "low")
count_medium = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-medium.conf", "medium")
print("Generated {} activity monitoring rules..".format(len(self.rules)))
- print("This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, count_high, count_medium, count_low))
+ print(
+ "This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical,
+ count_high,
+ count_medium,
+ count_low))
def generateTypedValueNode(self, node):
- raise NotImplementedError("Default implementation for identifier {} not available.".format(node.identifier))
+ raise IgnoreTypedModifierException()
def generateMapItemTypedNode(self, fieldname, value):
- try:
- return self.typedValueExpression[type(value)] % (fieldname, str(value))
- except KeyError:
- raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier))
+ raise IgnoreTypedModifierException()
def generateMapItemListNode(self, key, value):
return "(" + (" or ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")"
@@ -331,6 +443,9 @@ def generateMapItemNode(self, node):
fieldname, value = node
transformed_fieldname = self.fieldNameMapping(fieldname, value)
+ if value is None:
+ return self.nullExpression % (transformed_fieldname,)
+
has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value))
if "," in self.generateNode(value) and not has_wildcard:
diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py
index 05e11133362..826775d8a75 100644
--- a/tools/sigma/configuration.py
+++ b/tools/sigma/configuration.py
@@ -68,6 +68,17 @@ def get_logsource(self, category, product, service):
category, product, service = logsource.rewrite
return SigmaLogsourceConfiguration(matching, self.defaultindex)
+ def get_logsourcemerging(self):
+ value = ''
+ for config in self:
+ if value == '':
+ value = config.get_logsourcemerging().lower()
+
+ if not value in ['and', 'or']:
+ value = 'and'
+
+ return value
+
def set_backend(self, backend):
"""Set backend for all sigma conversion configurations in chain."""
self.backend = backend
@@ -124,6 +135,12 @@ def get_logsource(self, category, product, service):
matching = [logsource for logsource in self.logsources if logsource.matches(category, product, service)]
return SigmaLogsourceConfiguration(matching, self.defaultindex)
+ def get_logsourcemerging(self):
+ if self.config != None:
+ if 'logsourcemerging' in self.config:
+ return self.config['logsourcemerging']
+ return ''
+
def set_backend(self, backend):
"""Set backend. This is used by other code to determine target properties for index addressing"""
self.backend = backend
diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py
index 5ec72b621fb..f3bc6feb235 100644
--- a/tools/sigma/filter.py
+++ b/tools/sigma/filter.py
@@ -15,6 +15,7 @@
# along with this program. If not, see .
# Rule Filtering
+import datetime
class SigmaRuleFilter:
"""Filter for Sigma rules with conditions"""
LEVELS = {
@@ -26,11 +27,16 @@ class SigmaRuleFilter:
STATES = ["experimental", "testing", "stable"]
def __init__(self, expr):
- self.minlevel = None
- self.maxlevel = None
- self.status = None
- self.logsources = list()
- self.tags = list()
+ self.minlevel = None
+ self.maxlevel = None
+ self.status = None
+ self.logsources = list()
+ self.notlogsources = list()
+ self.tags = list()
+ self.nottags = list()
+ self.inlastday = None
+ self.condition = list()
+ self.notcondition = list()
for cond in [c.replace(" ", "") for c in expr.split(",")]:
if cond.startswith("level<="):
@@ -58,8 +64,22 @@ def __init__(self, expr):
raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond))
elif cond.startswith("logsource="):
self.logsources.append(cond[cond.index("=") + 1:])
+ elif cond.startswith("logsource!="):
+ self.notlogsources.append(cond[cond.index("=") + 1:])
elif cond.startswith("tag="):
self.tags.append(cond[cond.index("=") + 1:].lower())
+ elif cond.startswith("tag!="):
+ self.nottags.append(cond[cond.index("=") + 1:].lower())
+ elif cond.startswith("condition="):
+ self.condition.append(cond[cond.index("=") + 1:].lower())
+ elif cond.startswith("condition!="):
+ self.notcondition.append(cond[cond.index("=") + 1:].lower())
+ elif cond.startswith("inlastday="):
+ nbday = cond[cond.index("=") + 1:]
+ try:
+ self.inlastday = int(nbday)
+ except ValueError as e:
+ raise SigmaRuleFilterParseException("Unknown number '%s' in condition '%s'" % (nbday, cond)) from e
else:
raise SigmaRuleFilterParseException("Unknown condition '%s'" % cond)
@@ -101,6 +121,17 @@ def match(self, yamldoc):
if logsrc not in logsources:
return False
+ # NOT Log Sources
+ if self.notlogsources:
+ try:
+ notlogsources = { value for key, value in yamldoc['logsource'].items() }
+ except (KeyError, AttributeError): # no log source set
+ return False # User wants status restriction, but it's not possible here
+
+ for logsrc in self.notlogsources:
+ if logsrc in notlogsources:
+ return False
+
# Tags
if self.tags:
try:
@@ -111,6 +142,62 @@ def match(self, yamldoc):
for tag in self.tags:
if tag not in tags:
return False
+ # NOT Tags
+ if self.nottags:
+ try:
+ nottags = [ tag.lower() for tag in yamldoc['tags']]
+ except (KeyError, AttributeError): # no tags set
+ return False
+
+ for tag in self.nottags:
+ if tag in nottags:
+ return False
+
+ # date in the last N days
+ if self.inlastday:
+ try:
+ date_str = yamldoc['date']
+ except KeyError: # missing date
+ return False # User wants date time restriction, but it's not possible here
+
+ try:
+ modified_str = yamldoc['modified']
+ except KeyError: # no update
+ modified_str = None
+ if modified_str:
+ date_str = modified_str
+
+ date_object = datetime.datetime.strptime(date_str, '%Y/%m/%d')
+ today_objet = datetime.datetime.now()
+ delta = today_objet - date_object
+ if delta.days > self.inlastday:
+ return False
+
+ if self.condition:
+ try:
+ conditions = yamldoc['detection']['condition']
+ if isinstance(conditions,list): # sone time conditions are list even with only 1 line
+ s_condition = ' '.join(conditions)
+ else:
+ s_condition = conditions
+ except KeyError: # missing condition
+ return False # User wants condition restriction, but it's not possible here
+ for val in self.condition:
+ if not val in s_condition:
+ return False
+
+ if self.notcondition:
+ try:
+ conditions = yamldoc['detection']['condition']
+ if isinstance(conditions,list): # sone time conditions are list even with only 1 line
+ s_condition = ' '.join(conditions)
+ else:
+ s_condition = conditions
+ except KeyError: # missing condition
+ return False # User wants condition restriction, but it's not possible here
+ for val in self.notcondition:
+ if val in s_condition:
+ return False
# all tests passed
return True
diff --git a/tools/sigma/parser/collection.py b/tools/sigma/parser/collection.py
index 7de47cce73c..b7cc9ccf1e4 100644
--- a/tools/sigma/parser/collection.py
+++ b/tools/sigma/parser/collection.py
@@ -28,7 +28,7 @@ class SigmaCollectionParser:
* reset: resets global attributes from previous set_global statements
* repeat: takes attributes from this YAML document, merges into previous rule YAML and regenerates the rule
"""
- def __init__(self, content, config=None, rulefilter=None):
+ def __init__(self, content, config=None, rulefilter=None, filename=None):
if config is None:
from sigma.configuration import SigmaConfiguration
config = SigmaConfiguration()
@@ -36,6 +36,13 @@ def __init__(self, content, config=None, rulefilter=None):
globalyaml = dict()
self.parsers = list()
prevrule = None
+ if filename:
+ try:
+ globalyaml['yml_filename']=str(filename.name)
+ globalyaml['yml_path']=str(filename.parent)
+ except:
+ filename = None
+
for yamldoc in self.yamls:
action = None
try:
@@ -48,6 +55,9 @@ def __init__(self, content, config=None, rulefilter=None):
deep_update_dict(globalyaml, yamldoc)
elif action == "reset":
globalyaml = dict()
+ if filename:
+ globalyaml['yml_filename']=str(filename.name)
+ globalyaml['yml_path']=str(filename.parent)
elif action == "repeat":
if prevrule is None:
raise SigmaCollectionParseError("action 'repeat' is only applicable after first valid Sigma rule")
diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py
index 516465bd958..a4c908cc862 100644
--- a/tools/sigma/parser/condition.py
+++ b/tools/sigma/parser/condition.py
@@ -403,7 +403,8 @@ def _optimizeNode(self, node, changes=False):
if len(promoted) > 0:
for child in node.items:
for cand in promoted:
- child.items.remove(cand)
+ if cand in child.items:
+ child.items.remove(cand)
newnode = othertype()
newnode.items = promoted
newnode.add(node)
diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py
index d134491915a..763beaf5641 100644
--- a/tools/sigma/parser/rule.py
+++ b/tools/sigma/parser/rule.py
@@ -134,26 +134,27 @@ def get_logsource(self):
return self.config.get_logsource(category, product, service)
+ def build_conditions(self, condition_func, items):
+ cond = condition_func()
+ for item in items:
+ if type(item) is list:
+ cond.add(self.build_conditions(ConditionAND, item))
+ else:
+ mapping = self.config.get_fieldmapping(item[0])
+ cond.add(mapping.resolve(item[0], item[1], self))
+
+ return cond
+
def get_logsource_condition(self):
logsource = self.get_logsource()
if logsource is None:
return None
else:
- if logsource.merged: # Merged log source, flatten nested list of condition items
- kvconds = [ item for sublscond in logsource.conditions for item in sublscond ]
- else: # Simple log sources already contain flat list of conditions items
- kvconds = logsource.conditions
-
- # Apply field mappings
- mapped_kvconds = list()
- for field, value in kvconds:
- mapping = self.config.get_fieldmapping(field)
- mapped_kvconds.append(mapping.resolve(field, value, self))
-
- # AND-link condition items
cond = ConditionAND()
- for kvcond in mapped_kvconds:
- cond.add(kvcond)
+ if self.config.get_logsourcemerging() == 'or':
+ cond.add(self.build_conditions(ConditionOR, logsource.conditions))
+ else:
+ cond.add(self.build_conditions(ConditionAND, logsource.conditions))
# Add index condition if supported by backend and defined in log source
index_field = self.config.get_indexfield()
diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py
index a3994e61529..5d50a3733d5 100755
--- a/tools/sigma/sigmac.py
+++ b/tools/sigma/sigmac.py
@@ -233,7 +233,7 @@ def main():
f = sigmafile
else:
f = sigmafile.open(encoding='utf-8')
- parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter)
+ parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile)
results = parser.generate(backend)
newline_separator = '\0' if cmdargs.print0 else '\n'
@@ -243,23 +243,23 @@ def main():
print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)
error = ERR_OPEN_SIGMA_RULE
except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
- print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)
+ print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)
error = ERR_INVALID_YAML
if not cmdargs.defer_abort:
sys.exit(error)
except (SigmaParseError, SigmaCollectionParseError) as e:
- print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
+ print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
error = ERR_SIGMA_PARSING
if not cmdargs.defer_abort:
sys.exit(error)
except NotSupportedError as e:
- print("The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr)
+ print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr)
if not cmdargs.ignore_backend_errors:
error = ERR_NOT_SUPPORTED
if not cmdargs.defer_abort:
sys.exit(error)
except BackendError as e:
- print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
+ print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
if not cmdargs.ignore_backend_errors:
error = ERR_BACKEND
if not cmdargs.defer_abort:
@@ -272,13 +272,13 @@ def main():
if not cmdargs.defer_abort:
sys.exit(error)
except PartialMatchError as e:
- print("Partial field match error: %s" % str(e), file=sys.stderr)
+ print("Error: Partial field match error: %s" % str(e), file=sys.stderr)
if not cmdargs.ignore_backend_errors:
error = ERR_PARTIAL_FIELD_MATCH
if not cmdargs.defer_abort:
sys.exit(error)
except FullMatchError as e:
- print("Full field match error", file=sys.stderr)
+ print("Error: Full field match error", file=sys.stderr)
if not cmdargs.ignore_backend_errors:
error = ERR_FULL_FIELD_MATCH
if not cmdargs.defer_abort:
diff --git a/tools/tests/test_backend_devo.py b/tools/tests/test_backend_devo.py
new file mode 100644
index 00000000000..9dd412b76c5
--- /dev/null
+++ b/tools/tests/test_backend_devo.py
@@ -0,0 +1,237 @@
+# Test output backends for sigmac
+# Copyright 2021 Devo, Inc.
+# Author: Eduardo Ocete
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+import unittest
+from unittest.mock import patch
+
+from sigma.backends.devo import DevoBackend
+
+from sigma.parser.collection import SigmaCollectionParser
+from sigma.configuration import SigmaConfiguration
+
+class TestDevoBackend(unittest.TestCase):
+
+ def setUp(self):
+ self.basic_rule = {"title": "Devo Backend Test", "level": "testing"}
+ self.table = "sourcetable"
+
+ def testPlain(self):
+ # Int value
+ detection = {"selection1": {"fieldname1": 1},
+ "condition": "selection1"}
+ expected_result = 'from {} where fieldname1 = 1 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # String value
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1"}
+ expected_result = 'from {} where fieldname1 = "value1" select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Int array value
+ detection = {"selection1": {"fieldname1": [1, 2, 3]},
+ "condition": "selection1"}
+ expected_result = 'from {} where has(fieldname1, 1, 2, 3) select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # String array value
+ detection = {"selection1": {"fieldname1": ["value1", "value2", "value3"]},
+ "condition": "selection1"}
+ expected_result = 'from {} where has(fieldname1, "value1", "value2", "value3") select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Simple and
+ detection = {"selection1": {"fieldname1": ["value1", "value2", "value3"],
+ "fieldname2": "value5"},
+ "condition": "selection1"}
+ expected_result = 'from {} where (has(fieldname1, "value1", "value2", "value3") and fieldname2 = "value5") select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Selection and
+ detection = {"selection1": {"fieldname1": [1, 2, 3]},
+ "selection2": {"fieldname2": "value5"},
+ "condition": "selection1 and selection2"}
+ expected_result = 'from {} where (has(fieldname1, 1, 2, 3) and fieldname2 = "value5") select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Selection or
+ detection = {"selection1": {"fieldname1": [1, 2, 3]},
+ "selection2": {"fieldname2": "value5"},
+ "condition": "selection1 or selection2"}
+ expected_result = 'from {} where (has(fieldname1, 1, 2, 3) or fieldname2 = "value5") select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Selection one of them
+ detection = {"selection1": {"fieldname1": [1, 2, 3]},
+ "selection2": {"fieldname2": "value5"},
+ "condition": "1 of them"}
+ expected_result = 'from {} where (has(fieldname1, 1, 2, 3) or fieldname2 = "value5") select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Selection all of them
+ detection = {"selection1": {"fieldname1": [1, 2, 3]},
+ "selection2": {"fieldname2": "value5"},
+ "condition": "all of them"}
+ expected_result = 'from {} where (has(fieldname1, 1, 2, 3) and fieldname2 = "value5") select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Negation
+ detection = {"selection1": {"fieldname1": [1, 2, 3]},
+ "selection2": {"fieldname2": "value5"},
+ "condition": "selection1 and not selection2"}
+ expected_result = 'from {} where (has(fieldname1, 1, 2, 3) and not (fieldname2 = "value5")) select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+
+ def testModifiers(self):
+ # Contains
+ detection = {"selection1": {"fieldname1|contains": "value1"},
+ "condition": "selection1"}
+ expected_result = 'from {} where toktains(fieldname1, "value1", true, true) select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # StartsWith
+ detection = {"selection1": {"fieldname1|startswith": "value1"},
+ "condition": "selection1"}
+ expected_result = 'from {} where matches(fieldname1, nameglob("value1*")) select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # EndsWith
+ detection = {"selection1": {"fieldname1|endswith": "value1"},
+ "condition": "selection1"}
+ expected_result = 'from {} where matches(fieldname1, nameglob("*value1")) select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # All
+ detection = {"selection1": {"fieldname1|all": ["value1", "value2"]},
+ "condition": "selection1"}
+ expected_result = 'from {} where (fieldname1 = "value1" and fieldname1 = "value2") select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ def testAggregations(self):
+ # Count
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1 | count() > 1"}
+ expected_result = 'from {} where fieldname1 = "value1" select count(*) as agg where agg > 1 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Min
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1 | min(fieldname2) by fieldname3 > 5"}
+ expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select min(fieldname2) as agg where agg > 5 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Max
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1 | max(fieldname2) by fieldname3 > 5"}
+ expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select max(fieldname2) as agg where agg > 5 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Avg
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1 | avg(fieldname2) by fieldname3 > 5"}
+ expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select avg(fieldname2) as agg where agg > 5 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # sum
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1 | sum(fieldname2) by fieldname3 > 5"}
+ expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select sum(fieldname2) as agg where agg > 5 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # <
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1 | sum(fieldname2) by fieldname3 < 5"}
+ expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select sum(fieldname2) as agg where agg < 5 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # ==
+ detection = {"selection1": {"fieldname1": "value1"},
+ "condition": "selection1 | sum(fieldname2) by fieldname3 == 5"}
+ expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select sum(fieldname2) as agg where agg == 5 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # Multiple conditions
+ detection = {"selection1": {"fieldname1": "value1"},
+ "selection2": {"fieldname2": "*", "fieldname3": "*"},
+ "condition": "selection1 or selection2 | count(fieldname4) by fieldname5 > 3"}
+ expected_result = 'from {} where (fieldname1 = "value1" or (matches(fieldname2, nameglob("*")) and matches(fieldname3, nameglob("*")))) group by fieldname5 select count(fieldname4) as agg where agg > 3 select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ def testFullTextSearch(self):
+ # Single str FTS
+ detection = {"selection1": ["value1"],
+ "condition": "selection1"}
+ expected_result = 'from {} where weaktoktains(raw, "value1", true, true) select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ # OR node FTS
+ detection = {"selection1": {"fieldname1": "value1"},
+ "selection2|contains": ["value2", "value3"],
+ "condition": "1 of them"}
+ expected_result = 'from {} where (fieldname1 = "value1" or weaktoktains(raw, "value2", true, true) or weaktoktains(raw, "value3", true, true)) select *'.format(self.table)
+ self.validate(detection, expected_result)
+
+ def testRegex(self):
+ # Arrange
+ detection = {"selection1": {"fieldname1|re": "([0-9]|[1-9][0-9]|[1-4][0-9]{2})"},
+ "condition": "selection1"}
+ expected_result = 'from ' + self.table + ' where matches(fieldname1, re(\"([0-9]|[1-9][0-9]|[1-4][0-9]{2})\")) select *'
+
+ # Act & Assert
+ self.validate(detection, expected_result)
+
+ def testDerivedFields(self):
+ # Arrange
+ detection = {"selection1": {"select func(fieldname1) as fieldname1": "value1"},
+ "condition": "selection1"}
+ expected_result = 'from ' + self.table + \
+ ' select func(fieldname1) as fieldname1 where fieldname1 = "value1" select *'
+ # Act & Assert
+ self.validate(detection, expected_result)
+
+ def testNearNotSupported(self):
+ # Arrange
+ detection = {"selection1": {"fieldname1": "value1"},
+ "selection2": {"fieldname2": "value2"},
+ "condition": "selection1 | near selection1 and selection2"}
+ expected_result = NotImplementedError()
+
+ # Act & Assert
+ self.validate(detection, expected_result)
+
+
+ def validate(self, detection, expectation):
+ config = SigmaConfiguration()
+
+ self.basic_rule["detection"] = detection
+
+ with patch("yaml.safe_load_all", return_value=[self.basic_rule]):
+ parser = SigmaCollectionParser("any sigma io", config, None)
+ backend = DevoBackend(config, self.table)
+
+ assert len(parser.parsers) == 1
+
+ for p in parser.parsers:
+ if isinstance(expectation, str):
+ self.assertEqual(expectation, backend.generate(p))
+ elif isinstance(expectation, Exception):
+ self.assertRaises(type(expectation), backend.generate, p)
+
+
+if __name__ == '__main__':
+ unittest.main()
diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py
index b4bd820266a..b30da675dcf 100644
--- a/tools/tests/test_backend_sql.py
+++ b/tools/tests/test_backend_sql.py
@@ -125,7 +125,7 @@ def test_aggregations(self):
# count
detection = {"selection": {"fieldname": "test"},
"condition": "selection | count() > 5"}
- inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format(
+ inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -133,7 +133,7 @@ def test_aggregations(self):
# min
detection = {"selection": {"fieldname1": "test"},
"condition": "selection | min(fieldname2) > 5"}
- inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -141,7 +141,7 @@ def test_aggregations(self):
# max
detection = {"selection": {"fieldname1": "test"},
"condition": "selection | max(fieldname2) > 5"}
- inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -149,7 +149,7 @@ def test_aggregations(self):
# avg
detection = {"selection": {"fieldname1": "test"},
"condition": "selection | avg(fieldname2) > 5"}
- inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -157,7 +157,7 @@ def test_aggregations(self):
# sum
detection = {"selection": {"fieldname1": "test"},
"condition": "selection | sum(fieldname2) > 5"}
- inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -165,7 +165,7 @@ def test_aggregations(self):
# <
detection = {"selection": {"fieldname1": "test"},
"condition": "selection | sum(fieldname2) < 5"}
- inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -173,7 +173,7 @@ def test_aggregations(self):
# ==
detection = {"selection": {"fieldname1": "test"},
"condition": "selection | sum(fieldname2) == 5"}
- inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -181,7 +181,7 @@ def test_aggregations(self):
# group by
detection = {"selection": {"fieldname1": "test"},
"condition": "selection | sum(fieldname2) by fieldname3 == 5"}
- inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format(
+ inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -189,7 +189,7 @@ def test_aggregations(self):
# multiple conditions
detection = {"selection": {"fieldname1": "test"}, "filter": {
"fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"}
- inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format(
+ inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
self.validate(detection, expected_result)
diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py
index ac76477394c..294a59de29f 100644
--- a/tools/tests/test_backend_sqlite.py
+++ b/tools/tests/test_backend_sqlite.py
@@ -71,14 +71,14 @@ def test_full_text_search_aggregation(self):
# aggregation with fts
detection = {"selection": ["test"],
"condition": "selection | count() > 5"}
- inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format(
+ inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)
detection = {"selection": ["test1", "test2"],
"condition": "selection | count() > 5"}
- inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
+ inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)
@@ -86,7 +86,7 @@ def test_full_text_search_aggregation(self):
# aggregation + group by + fts
detection = {"selection": ["test1", "test2"],
"condition": "selection | count() by fieldname > 5"}
- inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format(
+ inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format(
self.table)
expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
self.validate(detection, expected_result)