Merge pull request SigmaHQ#815 from Neo23x0/rule-devel

Rule devel
rkondracki · Jun 6, 2020 · 72deaa9 · 72deaa9
2 parents 7d70cd9 + 3697186
commit 72deaa9
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 2 deletions.
diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml
@@ -0,0 +1,25 @@
+title: Covenant Launcher Indicators
+id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
+description: Detects suspicious command lines used in Covenant luanchers
+status: experimental
+references:
+    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
+author: Florian Roth
+date: 2020/06/04
+tags:
+  - attack.execution
+  - attack.t1086
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - ' -Sta -Nop -Window Hidden -Command '
+            - ' -Sta -Nop -Window Hidden -EncodedCommand '
+            - 'sv o (New-Object IO.MemorySteam);sv d '
+            - 'mshta file.hta'
+            - 'GruntHTTP'
+            - '-EncodedCommand cwB2ACAAbwAgA'
+    condition: selection
+level: high
diff --git a/rules/windows/sysmon/sysmon_etw_disabled.yml b/rules/windows/sysmon/sysmon_etw_disabled.yml
@@ -0,0 +1,26 @@
+title: ETW Disabled
+id: 11985f9f-2590-4f59-beea-88cc0507f350
+status: experimental
+description: Detects methods that disable ETW (Event Tracing) to evade detection
+references: 
+    - https://twitter.com/_xpn_/status/1268712093928378368?s=20
+    - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+author: Florian Roth
+date: 2020/06/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13  # value set
+        TargetObject|contains: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
+        Details|contains: '0x00000000'
+    condition: selection
+fields:
+    - Image
+falsepositives:
+    - Services or programs that disable the ETW temporarily
+level: high
diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -1,8 +1,7 @@
 title: New DLL Added to AppInit_DLLs Registry Key
 id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
 status: experimental
-description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll
-    into every process that loads user32.dll
+description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
 references:
     - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
 tags: